Slashdot Mirror
Hackers Spawn Web Supercomputer On Way To Chess World Record
New submitter DeathGrippe sends in an article from Wired about a new take on distributed computing efforts like SETI@Home. From Wired:
"By inserting a bit of JavaScript into a webpage, Pethiyagoda says, a site owner could distribute a problem amongst all the site's visitors. Visitors' computers or phones would be running calculations in the background while they read a page. With enough visitors, he says, a site could farm out enough small calculations to solve some difficult problems. ... With this year's run on the value of Bitcoins — the popular digital currency — security expert Mikko Hyppönen thinks that criminals might soon start experimenting with this type of distributed computing too. He believes that crooks could infect websites with JavaScript code that would turn visitors into unsuspecting Bitcoin miners. As long as you're visiting the website, you're mining coins for someone else."
Better than looking at ads.
Lets just load a monolithic OS kernel written in javascript into visitor's RAM with the full OSI stack. Distribute your website to these small OSs and have them serve everyone else in the local network....
At last! A practical form of "micro"-payments
Whenever you visit any web page with Javascript enabled, you are inherently agreeing to execute some code on your system. It doesn't really matter if it's displaying animated kittens are calculating bitcoin blocks. Indeed, we should all hail this as a great thing if it means criminals becoming less criminal...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
... only need to get ten trillion users for three days to get 0.001 BTC.
I can already hear the hoards of criminals running to do this.
My understanding was this wouldn't work well for BitCoin, because the raw computing power people are throwing at it with GPUs and ASICs easily dwarfs even significant numbers of zombies, and even WebGL can't help you (too limited an instruction set).
Of course by this point the matter is hearsay... but still, Bitcoin is a tough nut to crack these days.
The World Wide Web is dying. Soon, we shall have only the Internet.
I'm... kind of okay with this? Modern operating systems are hella-good at maintaining usability under high CPU loads, and the extra electricity consumed by the increased load wouldn't make much of a difference to me. If this is how they want to monetize web content, I'll take it over click-to-mute popunders any day. The "crooks" thing seems like it's just thrown in to increase the shock factor. Why wouldn't the site owners do this?
The opinions stated herein do not necessarily represent those of anybody at all. Deal with it.
The Australian Government just passed a law allowing them to claim your money in your bank account as their own if you haven't used it in a while.
I pick government.
distribute all you want, phones running js miners wont contribute shit.
A practical form of "micro"-payments
As an alternative revenue stream to ads, this might make sense for some websites. Many of the flashier (so to speak) ads waste many resources as well, but to no productive end other than getting your attention.
I read web-pages while my CPU and GPU crunch CG in the background. Do these applications respect a machines existing load?
Unless I was getting something for this service you would be stealing my electricity and processor cycles.
You'll need each visitor to stay on your page long enough for them to complete a significant amount of computation and upload the results.
If the amount they compute is less than what is required to for the fork and join process in the problem, then its easier to not fork and join and do the computation locally.
Every visitor that doesn't stay long enough wastes resources doing work that is thrown away. They'll also waste your own resources by asking for the input data and never giving you a result. That means its either going to take longer for that piece of input to be computed, because you could have given it to someone who stayed, but you don't know how long it will take to computer because you don't know the load of capacity of the node that is doing the work, so you'll need to wait a relatively long time before giving it to another node - or give the same data to several nodes at once - wasting resources again.
TFA tells us that people can do this or do that to the visitors' computers (or smartphones) but there's no hint on how to block all these ...
Anyone can share a little insight on what kind of precaution that we can do in order to block out all those things from entering our own device in the first place --- other than not visiting those websites, I mean ...
Muchas Gracias, Señor Edward Snowden !
Sites that have pictures of noodie women (and men) could make a packet from the non-paying visitors by using their CPU power to generate them money - I'm sure the visitors won't even notice their CPU usage just went to 100%...
Shyt happens already. ..
Microsoft has refused to implement WebGL in any released version of IE for security reasons. Apple implemented it in Safari but disabled it by default on the Mac and restricted it to use only by iAds on iOS.
I've often wondered if including a programming language in a browser is a good idea.
On the functionality side, I don't really think it adds much required functionality. The only useful functionality seems to be in validating web form data (Don't let the user submit without required fields, make sure no spaces are in the CC number, &c). The vast majority of these could be handled by changes in the HTML specification with fields specific to type, flags, and so on. Video and other media players should be built-in to the browser and be based on standardized formats.
There's a number of useless features that everyone clamors for, such as showing text in a box that changes when you click in it (such as "search" boxes), worthless animation, and clever actions that don't appreciably add to readability or access.
On the negative side, there's the innumerable ways in which the user can be taken advantage of - popups and pop-under, spreading malware, insufficient sandboxing, privacy leakage, tracking, and so on.
By turning the browser into a general-purpose computer, the industry has created yet another attack vector. All for something which is for the most part a static, read-only experience.
Microsoft added ActiveX to their E-mail reader, and it was a disaster. I put Javascript on websites in the same category.
John Corzine stole a billion dollars and walked away without a trial.
The government of Cyprus stole money from people's bank accounts.
HSBC openly laundered money for Mexican drug cartels, and admitted to it. But no charges were pressed, as HSBC is too big to fail.
You could keep giving examples like the ones above for hours on end.
"Crime" is a very selective word these days indeed...
------ The best brain training is now totally free : )
it's that or those damn flash ads using up all my computer resources anyway.
May just as well at least get rid of the ads =P
Their job is not to post comments as the rest of us do
Their job is to post comments eliciting _other_ comments
My suspicion is that the guy (a "cowboy" should be a guy) knows what to do, and his comment was intent to get others to post the correct answer (or answers) in such ways that others can benefit from it
However, I may be wrong
"Kittens vs. Zombies 3 requires WebGL to function. Please enable or switch to a different browser to continue."
For one thing, iPad and Surface users can't just "enable or switch to a different browser" without dropping hundreds of dollars on hardware that runs a less-closed operating system. For another, users would react to something that doesn't work in their preferred browser by thinking "I don't think these guys are very bright" and clicking away, if iamhassi's comment is any indication.
I mean it's in the title, got me all interested. Then I read the summary and it's all about a stupid approach to bitcoin mining. So what was this "Chess Record" they were talking about? You expect me to RTFA for that?
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
I like this idea, except it would probably have to use something where mining takes "less work", otherwise, as AC pointed out below, you'd have to have millions of users just to get epsilon money.
But if you make mining easier, then everyone else pulls out their old mining rigs and exhausts the supply of coins that much quicker. Unless you build a large amount of inflation into the system, or put an expiry on the coins.
It would be nice if distributed problems had a standard value. (E.g. The solution to this protein folding problem is worth $1, incidentally giving the currency an intrinsic value). Then some one like Google could distribute the problems ("DistWords"), and website operators would collect the revenue of solved problems.
Plan My Week for iPhone
There a startup named CrowdProcess doing something similar. Their business plan is to pay websites to include their javascript, and sell the computation time to developers. This way, the websites can cover hosting costs without resorting to ads.
I posted just this idea on one of the bitcoin stories recently.
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
Mining Bitcoins is over. Doing it with an ordinary CPU is hopeless. Doing it with a GPU barely pays for the power consumption. Doing it with FPGA hardware still sort of works, but not for much longer. Doing it with ASICs requires dealing with slimeballs who insist you pre-pay for hardware and deliver months later, if at all.
Remember, more than half the Bitcoins that can exist have already been mined, and it gets steadily harder.
Stealing other people's GPU cycles has a track record of success. But it's hard to do that from JavaScript.
Another reason to disable javascript.
Whenever you visit any web page with Javascript enabled, you are inherently agreeing to execute some code on your system.
Just because you tricked the user into running your code doesn't mean it's OK to do whatever you want with their system. Users would never agree to run such code if they knew what it did ahead of time. If your software relies on lazy users who don't understand what they're agreeing to, then congratulations, you're a malware author.
We never do that...
This sig left unintentionally blank.
The ZeroAccess botnet is known to be mining BTC. I've seen estimates of 1-3 million USD worth mined each year. Mind you, difficulty has gone up a lot since I saw that.
http://en.wikipedia.org/wiki/ZeroAccess_botnet
It gripped her hand gently. 'Regret is for humans,' it said.
The Australian Government just passed a law allowing them to claim your money in your bank account as their own if you haven't used it in a while.
I pick government.
We beat you.
Sweden is getting a new harsher law against money laundering June 2014. Which allows the goverment to take any of your assets unless you can prove how you got them. (In practice: they freeze the assets for a year; and unless you have proven that the assets are legally obtained, they are forfeited to the goverment).
That is pretty bad, because you're going to have a hard time 'proving' all your money and belongings are yours rightfully. However, I'd say this Australian one is a little bit worse because it is a proactive law. This Swedish law you refer to sounds like it 'could' be used against you should the government decide to. However, the new Australian law is proactive, they are actually taking your 'unused' money right now, no questions asked.
It doesn't work because people will notice and unless you're getting a billion hits a day and they all stay on your page for an hour you wouldn't make any real money.
It shouldn't be that hard proving the house and car are yours.
A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.
Why is everyone on /. so stupid about Bitcoin, and hell bent on making it look bad?
We are supposed to be knowledgeable nerds! Not fear mongers
Bitcoin javascript miners already exist, please check github out first https://github.com/progranism/Bitcoin-JavaScript-Miner
There are also pools that provide an embedded javascript.
This has already been done several times! You get about 3-7 megahashes per second per page. If a users opens too many concurrent pages, the host crashes. Assuming it doesn't crash, 7MH/s will get you 0.000289659043821 BTC per day or $0.035 per 24 hours of viewing time.
In short, computers crash before it's profitable. How do I know, it's been done, check the forums.
Seeing that hackers have cashed in millions with much much smarter strategies, I doubt this is an issue.
Dear /. , can we please collectively stop looking like idiots. I tell people about this site... You are making me look bad
This idea is not exactly a new one.
Just recently there was that thing:
http://www.cbc.ca/news/technology/story/2013/05/02/technology-esea-bitcoin-mining.html
The efficiency is so bad, coupled with expected user backlash, it is a dangerous joke at best.
Why not just purchase a botnet? It's cheaper and easier than getting millions of people to visit a website. And you don't have to limit yourself to JS.
The Information Revolution will be fought on the command line.
A distributed Javascript project has been running for years here:
http://cgi.csc.liv.ac.uk/~acollins/pi
Came here for the "chess world record" mentioned in TFT and didn't find a single word about it, neither in TFS nor in TFCs... Did anyone realize how this article is actually about a bunch of guys parallelizing the eight queens puzzle, running it first on anything from browsers to Blackberrys, then porting it to Hadoop, and on the way to break the world record computing the number of solutions for a chess board of 27x27 tiles?
TFA mentions the word "bitcoin" in the last 2 paragraphs out of 23, and everybody goes crazy about it. Welcome to Slashdot 2013.
Yeah, I pulled that number out of my ass, but it's probably not far from the truth. A web giant like Google implementing this on all their sites would probably make an MW worth of profit ($50 an hour?) and waste a GW of electricity worldwide.
"...As long as you're visiting the website, you're mining coins for someone else."
Find me someone who is going to give a shit.
Seriously.
Facebook could market the fact they're doing this, and no one would give a shit.
If cookies didn't stop people from visiting websites, what the hell makes you think this will.
By viewing website ads, we are using our processor to render images and video.
How is this any different from any other bitcoin mining tool embedded in JavaScript?
If that function does not take too much processing time (fair use), just like an multimedia add, both generate some kind of revenue for the website creator.
It can't get any "fairer"(!) than that.
Intriguingly, the Australian government is also involved in the most high-profile case of trying to mine bitcoins off public webpages with javascript: http://www.smh.com.au/technology/technology-news/secret-money-abc-virtual-currency-racket-probe-20110623-1ggp6.html
So yeah, this whole article has already happened. It turns out that mining via javascript isn't very efficient, and even webGL mining isn't likely to cover the cost of hosting content.
Now, if something like this could be used for... real... projects, like Rosetta@Home or other good BOINC projects, they could potentially do some real good.
Suddenly NoScript plugin became much more important ^_^
For the last fucking time (hopefully) CPUs and even ideal advanced GPUs like the king of them all, the Radeon 5830 STILL CANNOT MATCH THE NEW ASICs. Normal computers (and TVs and phones) cannot effectively mine bitcoins anymore. You could mine on my i5-2400 24/7 for an entire year straight and come up a couple dollars. Unless anyone has an ASIC miner, they could control 100,000 computers and run them at a nice and undetectable 25% indefinitely and make a tiny, tiny amount of money.
WebGL might allow you to access the raw frames being displayed by the video card.
In other words: it's Microsoft's desire to suck the dick of the RIAA that's behind it.
I'd be inclined to give Microsoft the benefit of the doubt that someone might be displaying a confidential document on half of a 1920x1080 monitor and a web page on the other half, and the user doesn't want the web page to be able to "steal" the user's employer's trade secrets.