Hackers Spawn Web Supercomputer On Way To Chess World Record

New submitter DeathGrippe sends in an article from Wired about a new take on distributed computing efforts like SETI@Home. From Wired: "By inserting a bit of JavaScript into a webpage, Pethiyagoda says, a site owner could distribute a problem amongst all the site's visitors. Visitors' computers or phones would be running calculations in the background while they read a page. With enough visitors, he says, a site could farm out enough small calculations to solve some difficult problems. ... With this year's run on the value of Bitcoins — the popular digital currency — security expert Mikko Hyppönen thinks that criminals might soon start experimenting with this type of distributed computing too. He believes that crooks could infect websites with JavaScript code that would turn visitors into unsuspecting Bitcoin miners. As long as you're visiting the website, you're mining coins for someone else."

Cheap

Better than looking at ads.

Re:Cheap

[Mathness]

It actually could be a fair exchange of resources instead of ads, I use some of yours when visiting your site and "consuming" your work and I give some back by doing some "work" for you. If what I provide is a reasonable use of my resources, I would have no problem with it as long as it is legal.

Why stop there...

[socceroos]

Lets just load a monolithic OS kernel written in javascript into visitor's RAM with the full OSI stack. Distribute your website to these small OSs and have them serve everyone else in the local network....

At Last!

At last! A practical form of "micro"-payments

Bitcoin mining in Javascript.

... only need to get ten trillion users for three days to get 0.001 BTC.

I can already hear the hoards of criminals running to do this.

My understanding was this wouldn't work well

[FooAtWFU]

My understanding was this wouldn't work well for BitCoin, because the raw computing power people are throwing at it with GPUs and ASICs easily dwarfs even significant numbers of zombies, and even WebGL can't help you (too limited an instruction set).

Of course by this point the matter is hearsay... but still, Bitcoin is a tough nut to crack these days.

Re:That's not actually criminal

[Dunbal]

For all you may claim that the sign on the back of your front door states that I consented to be raped by you when invited to into your home, you still don't have the right to do it and are a criminal if you do.

Re:That's not actually criminal

[FlyMysticalDJ]

Whenever you visit any web page with Javascript enabled, you are inherently agreeing to execute some code on your system. It doesn't really matter if it's displaying animated kittens are calculating bitcoin blocks. Indeed, we should all hail this as a great thing if it means criminals becoming less criminal...

I think you've missed the idea. From TFA:

He believes that crooks could infect websites with JavaScript code that would turn visitors into unsuspecting Bitcoin miners. As long as you're visiting the website, you're mining coins for someone else

The criminal activity isn't mining bitcoins on someone else's machine, it's putting your code on someone else's website without their consent. It's not a new type of criminal activity, just a new incentive to do it.

How to block ?

[Taco+Cowboy]

TFA tells us that people can do this or do that to the visitors' computers (or smartphones) but there's no hint on how to block all these ...

Anyone can share a little insight on what kind of precaution that we can do in order to block out all those things from entering our own device in the first place --- other than not visiting those websites, I mean ...

Re:How to block ?

Insert smarmy statement regarding how long I've been running noscript here

Re:How to block ?

[Algae_94]

As the AC mentioned, you can use NoScript to block these scripts from running on a site. You could also universally disable javascript in the browser. NoScript is the most granular blocking that I'm aware of, and it's granularity is by domain. This means if xyz.com has this sort of script on their site and you block xyz.com, the site would also not be able to do a lot of other javascript stuff. This can be range from no problem for the site to making the site unusable.

Re:How to block ?

[Cenan]

The problem with noscript is that once you allow a domain, it's allowed regardless of which site you allowed it on. This is a huge problem, since I might trust domain x to use jQuery's CDN, but not site y. If I allow jQuery CDN it's allowed for both. Try blocking google-analytics for instance, and see how many sites break - for no other reason than that they want analytics to run, and their scripts check for this (or depend on it in some retarded way, I'm not sure). That means in order to use a handful of sites that have retarded dependencies, I have to allow this idiocy for every site i visit.

The other problem with the granularity is that most professional sites pull in javascript from multiple domains, so it turns into a treasure hunt trying to find the handful of domains you need to unblock before the site works. And it's even more fun when the site has hidden dependencies, that only pop up after you allow a domain on the list - making the already long list expand dynamically. And of course there's no way to see the script you're allowing unless you want to sift through the entire source of the page.

This is why noscript remains a nerd tool, the menu has a function that allows all scripts on a given site, a ripe choice of you already have the "click through" mentality. What a user sees is "lots of choices, this one makes the problem go away" and once that is learned the whole point of noscript goes the way of Windows UAC - yes, yes, yes, oh shut up.

TL;DR: noscript is good advice, although it requires far more user maintenance than resonable.

Re:That's not actually criminal

[Kaenneth]

But it's not rape if there is consent, given by passing through the door...

That's EULA logic, right?

Re:Is javascript a good idea?

[Kal+Zekdor]

You would be absolutely correct... if this was 1995. Web sites haven't been a "static, read-only experience" in ages (many of them, anyway). You interact with web pages, not merely consume them, as you would an RSS feed. While I hate javascript with a passion, it has made it possible for us to move from web pages to web apps. Many of the sites most people use everyday would be completely impossible without client side scripting. I wish that scripting would be done in something that doesn't suck as hard as javascript, but that's neither here nor there.

Stupid summary, what about this "Chess Record"?

[complete+loony]

I mean it's in the title, got me all interested. Then I read the summary and it's all about a stupid approach to bitcoin mining. So what was this "Chess Record" they were talking about? You expect me to RTFA for that?

It's still unethical

[Fred+Ferrigno]

Whenever you visit any web page with Javascript enabled, you are inherently agreeing to execute some code on your system.

Just because you tricked the user into running your code doesn't mean it's OK to do whatever you want with their system. Users would never agree to run such code if they knew what it did ahead of time. If your software relies on lazy users who don't understand what they're agreeing to, then congratulations, you're a malware author.

What about botnets?

[smutt]

Why not just purchase a botnet? It's cheaper and easier than getting millions of people to visit a website. And you don't have to limit yourself to JS.

Chess, anyone?

[xded]

Came here for the "chess world record" mentioned in TFT and didn't find a single word about it, neither in TFS nor in TFCs... Did anyone realize how this article is actually about a bunch of guys parallelizing the eight queens puzzle, running it first on anything from browsers to Blackberrys, then porting it to Hadoop, and on the way to break the world record computing the number of solutions for a chess board of 27x27 tiles?

TFA mentions the word "bitcoin" in the last 2 paragraphs out of 23, and everybody goes crazy about it. Welcome to Slashdot 2013.