Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cloudflare Ditches Sites That Use Coinhive Mining "malware" (betanews.com)

Posted by msmash on from the drawing-lines dept.

Mark Wilson writes: Bitcoin has been in the news for some time now as its value climbs and drops, but most recently interest turned to mining code embedded in websites. The Pirate Bay was one of the first sites to be seen using Coinhive code to secretly mine using visitors' CPU time, and then we saw similar activity from the SafeBrowse extension for Chrome. The discovery of the code was a little distressing for visitors to the affected sites, and internet security and content delivery network (CDN) firm Cloudflare is taking action to clamp down on what it is describing as malware. Torrent proxy site ProxyBunker.online has contacted TorrentFreak to say that Cloudflare has dropped it as a customer. The reason given for ProxyBunker's suspension is that the site has been using Coinhive code on several of the domains it owns.

49 of 84 comments (clear)

  1. Good by lactose99 · · Score: 1

    Coinhive with no alert and option to disable is bullshit anyway.

    --
    Fully licensed blockchain psychiatrist
    1. Re:Good by BronsCon · · Score: 1

      Came here to say this.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    2. Re:Good by DivineKnight · · Score: 1

      There are some people who aren't aware that JavaScript is the Internet's equivalent of an STD...

  2. Question by squiggleslash · · Score: 1

    Genuinely interested (no strong opinion of my own - I have a gut feeling this software slows down your machine) - would you prefer ads or background JS running Bitcoin miners funding the websites you visit?

    --
    You are not alone. This is not normal. None of this is normal.
    1. Re:Question by PIBM · · Score: 1

      Personnally, I`m fine with coinhive. In no time we will have cpu caps at 5% of a core on browsers which we can waive for legit sites, so those miners costs us almost nothing, and no ads is great :) Also, the browser already has to fight for cpu against my own miners. Beside, it`s not as if we didn`t have tens of other cores available for what we need to do on our computers should we core lock stuff .. oh well, to me it's a non-issue.

    2. Re:Question by corychristison · · Score: 1

      uBlock Origin already has rules to block CoinHive by default.

    3. Re:Question by Dixie_Flatline · · Score: 1

      I've been thinking about this, and if there were a standard API for harnessing my CPU for a few cycles while I browsed, and a setting where I could decide how much time to give on a site-by-site basis, I think I'd be much more willing to do this than have ads. The thing that bugs me is the underhanded nature of it right now, but it's honestly kind of a good idea.

      Of course, for this to work, several things need to be in place and the red tape in getting this off the ground properly would probably be a huge hassle. But as a way to pay for content, this is kind of brilliant.

    4. Re:Question by GNious · · Score: 2

      See: Brave browser

    5. Re:Question by UnknownSoldier · · Score: 4, Insightful

      > would you prefer ads or background JS running Bitcoin miners funding the websites you visit?

      False Dichotomy, much?

      The answer is: Neither:

      * Ads are immoral -- they don't respect my time, space, bandwidth, or money, so Fuck-Off with your blatant greed,
      * Stealing my CPU resources is just as heinous.

      Your monetization problem is not my problem.

    6. Re:Question by squiggleslash · · Score: 1

      I didn't offer any dichotomy. I asked you which you prefer. I'm well aware there are reasons to dislike both, but that doesn't mean you can't have an opinion on which is better, or, if you'd prefer, which is worse.

      I don't have the power to limit your choices to two ways to fund websites, and I'm not sure why you think I would have that power, or why you'd think I was demonstrating that.

      So... do you have an answer to the question?

      --
      You are not alone. This is not normal. None of this is normal.
    7. Re:Question by gnick · · Score: 1

      But as a way to pay for content, this is kind of brilliant.

      If this was an alternative to ads and had some CPU cap, I'd agree. But this is being deployed in addition to ads and I don't know how aggressive it is about consuming resources.

      --
      He's getting rather old, but he's a good mouse.
    8. Re:Question by DamonHD · · Score: 2

      Ouch!

      What about providing something to help cover the costs of creating content you consumed? Do the words "immoral" and "heinous" apply there in any way?

      Rgds

      Damon

      --
      http://m.earth.org.uk/
    9. Re:Question by gnick · · Score: 1

      Ads are immoral -- they don't respect my time, space, bandwidth, or money...

      Of course they respect your time - They're buying it from you. Your time, space, and bandwidth are what they're purchasing in exchange for access to the content they're linked to. Your money is the ultimate prize. How can you say ads don't respect those things when they're literally the entire goal?

      Maybe you're saying that they don't respect your time because they're demanding more than you think is fair? Browse elsewhere or pay for ad-free premium content.

      --
      He's getting rather old, but he's a good mouse.
    10. Re:Question by MightyYar · · Score: 1

      I'd like to see a system where I can let the miner do its thing if I want, OR let the site deduct some agreed-upon amount from a coin balance that I have. This would let people who want a free-as-in-beer experience on the web do their thing and also let people willing to part with a few pennies have a better overall experience / better battery life.

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    11. Re:Question by UnknownSoldier · · Score: 1, Insightful

      What part of ...

      The answer is: Neither:

      ... do you not understand??

    12. Re:Question by squiggleslash · · Score: 1

      That part where it's not an answer to the question I asked.

      Here's a better idea: if you don't want to answer the question, just don't reply to it. Don't post some bullshit putting words into my mouth claiming I've made a "False dichotomy" when all I've done is ask which of two options is better.

      (Original missing for some reason)

      --
      You are not alone. This is not normal. None of this is normal.
    13. Re:Question by maglor_83 · · Score: 1

      The thing that bugs me is the underhanded nature of it right now

      It's no less underhanded than ads are. Sure, you know that the ads are there, but the vast majority of people have no idea of all the tracking and selling of their information that's going on behind the scenes.

    14. Re:Question by TheReaperD · · Score: 1

      Then you can choose option 3: Pay them money for their service. Or, don't use it.

      --
      "Be particularly skeptical when presented with evidence confirming what you already believe." -
    15. Re:Question by UnknownSoldier · · Score: 2

      > I was claiming there are only two ways to fund websites and that you're obliged to pick one of them

      That is indeed what you were doing when you rejected the answer "Neither"

      ... would you prefer ads or background JS running Bitcoin miners funding the websites you visit?

      Here is an example:

      Q. Would you like Cake or Pie?
      A. Neither, I would like Ice-cream.

      Now what part of OR do you not understand?? There are AT LEAST 4 different permutations:

      A=Ads B=Bitcoin
      A=0 B=0 I'm NOT OK with either one.
      A=0 B=1 I'm OK with Bitcoin
      A=1 B=0 I'm OK with Ads
      A=1 B=1 I'm OK with either Ads or Bitcoin

      Gee, if only there was MORE then 2 options to crowdfunding.

      What you should have asked is this:

      Q. For funding the websites you visit would you prefer -- pick all that apply:

      [ ] Ads, or
      [ ] Background JS running Bitcoin miners OR
      [ ] Patreon, OR
      [ ] Donate button, OR
      [ ] Other. Please specify _ _ _ _ OR
      [ ] Nothing. I don't want to financially support you.

      QED.

      --
      You can't fix stupid, but you can fix ignorant

    16. Re:Question by tepples · · Score: 1

      I didn't offer any dichotomy. I asked you which you prefer.

      Let me try to rephrase the answer you got:

      Distracting interest-based ads and cryptocurrency mining are tied for unacceptable. It's futile to argue which is farther below the threshold of acceptability when at least one third option exists and is above this threshold. In this case, there are two third options: subscriptions and cessation of business.

    17. Re:Question by tepples · · Score: 1

      Maybe you're saying that they don't respect your time because they're demanding more than you think is fair? Browse elsewhere

      When I tried that, I got modded down for saying I couldn't RTFA.

      or pay for ad-free premium content.

      If I "pay for ad-free premium content" on one site, which other sites will honor my having "pa[id] for ad-free premium content"?

    18. Re:Question by UnknownSoldier · · Score: 2

      > when all I've done is ask which of two options is better.

      You are assuming that either option is better. I disagree with your premise.

      Analogy(*) Time!

      Q. Would you like to be:

      * Raped first, then murdered? OR
      * Murdered first, then Raped?

      A. The response NEITHER is a VALID answer.

      There are at LEAST _four_ different answers -- some sick fucko might go "Both?"

      /Oblg. I could explain it for you ...

      (*) I neither approve nor condone. This imaginary example is just for illustration purposes only to make a point how stupid some people's logic is.

    19. Re:Question by dissy · · Score: 1

      would you prefer ads or background JS running Bitcoin miners funding the websites you visit?

      Given just those two options and only a few minutes to ponder on it, I'm actually leaning towards the bitcoin miner.

      In theory, javascript is supposed to be sand boxed in the browser, while flash was never designed in such a way for that to be possible, so in theory the miner is supposed to be more secure.
      Of course in reality that isn't really the case, as there have been plenty of exploits using javascript over the years too. That would also only apply to flash ads, which isn't as dominate these days.

      Normally I am very much against running random strangers code on my computer.
      Originally I didn't intentionally block ads, but I do run a script blocker which coincidentally blocks many ads too.

      But another point in the miners favor and against ads is the aggressive nature they have become.
      I now also run an ad blocker specifically for that reason, since ads tend to completely destroy a website.

      Ever try to read slashdot without an ad blocker? It's quite literally not possible. By far ads take up over 80% of the screen and move around to fuck with the remaining small percent left over for content. You can't open an article from the main page since the ads force the page to scroll most of the way down, and once you scroll up it triggers the ads to move and push the comments off screen again.
      Not to mention the postage stamp sized box you get to reply in without a script blocker or always updating your settings back to the old view layout.

      Coin mining on the other hand wouldn't even show up on screen at all.
      Both the miner and ads suck up CPU cycles, I'd assume the miner much more so, but these days I have plenty of CPU cycles to spare and doubt a single core pegged at 100% would be noticeable.

      Ads also have a habit of redirecting you to scammy websites, or the site with the ad makes the entire background of their page a clickable element to hijack their own website to open an ad in a popup or popunder tab.

      I can safely say between allowing a website to use ads in my browser, or doing without ever going to that website, I choose the latter.
      A coin miner on the other hand would be a silly thing to deploy if it didn't actually report back to the website owner and gave random scammy sites access to it.

      Of course in the end I don't think I'd put myself in any position where I'd only have those two choices.
      For sites and content creators I love, they either get paypal donations or lately patreon pledges.
      (Patreon has been an amazing game changer, I have a few hundred dollars per month in pledges to about 30 different people and groups. Not having to remember to paypal something every so often, or sign up for multiple subscription services, makes the entire ordeal so easy to setup and let do its thing)

      The rest I can generally do without if it came down to it.

    20. Re:Question by gnick · · Score: 1

      If I "pay for ad-free premium content" on one site, which other sites will honor my having "pa[id] for ad-free premium content"?

      Surely you can't tell me that EVERY DEVELOPER wants to be paid for his time or bandwidth! I'd like a subscription to the Internet, please.

      --
      He's getting rather old, but he's a good mouse.
    21. Re:Question by bill_mcgonigle · · Score: 1

      I'd like to see a system where I can let the miner do its thing if I want, OR let the site deduct some agreed-upon amount from a coin balance that I have. This would let people who want a free-as-in-beer experience on the web do their thing and also let people willing to part with a few pennies have a better overall experience / better battery life.

      There's a fork of CoinHive that lets admins put up a permission box to ask the user before mining and limit the CPU usage (to say 15%), and Google is still shutting down the adwords accounts of people using this code (see r/Monero from a few days ago). That code is probably lower impact than a typical Flash ad or a HTML5 autoplay.

      There is finally a challenger to an ad-supported Internet and that means war.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    22. Re:Question by MightyYar · · Score: 1

      Yeah, I can see Google would be unhappy about that. Though if they were clever about it they could develop a platform where people could earn coins for watching ads and plug in to the infrastructure. Maybe they've gotten too big for such risky innovation. They were very disruptive, but now need to fight the disruption...

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    23. Re:Question by squiggleslash · · Score: 1

      I appreciate the attempt, but no, that's not an answer to the question, nor is it rephrasing the question. The question is literally "Is X preferable to Y". It's of the "Would you prefer Superman or Batman to deal with crime in your city" or "Do you prefer Coke to Pepsi" variety.

      The idiot who responded to me was claiming that by asking the question, I was implying that people would be forced to take one path or the other.

      Legitimate answers are "Ads", "Bitcoin miners", or perhaps "Hard to tell, they're both pretty shitty". Illegitimate answers would be "Never heard of them", your attempt at a rephrase (because it's off topic. It's "Oh, so Aquaman isn't an option? Well you suck", or "RC COLA PLZ!"), and "OMG HOW DARE YOU SUGGEST THE ONLY SOLUTIONS TO A PROBLEM YOU NEVER DEFINED IN THE FIRST PLACE ARE THOSE TWO. I shall look up in my dictionary of fallacies something that has some of the same words in the description and CLAIM YOU'RE DOING IT."

      The latter is an accurate rephrase of the GP's comment. And by using the name of a fallacy he was able to sucker in some stupid moderators who modded his comment up despite it being literally either the product of poor literacy, or high jackassery.

      --
      You are not alone. This is not normal. None of this is normal.
    24. Re:Question by tepples · · Score: 1

      Among the legitimate answers, "Hard to tell, they're both pretty shitty" is probably the closest.

  3. Alternative to ads? by mi · · Score: 1

    Maybe it is, but it may also be a suitable alternative to ads for some people... For example, my main objection to them is not that use up my computer's resources (indeed, AdBlock often takes more ) — it is the screen real-estate, that the ads occupy. (And the incessant blinking of some of them.)

    So, in exchange for accessing the content, I may be willing to let my computer do some coin-mining for the authors.

    --
    In Soviet Washington the swamp drains you.
    1. Re:Alternative to ads? by bill_mcgonigle · · Score: 1

      the site you're visiting is doing BOTH displaying ads and using your CPU for mining bitcoins which is exactly what is going on.

      Some are, some are allowing a slider between revenue streams, and some are only asking for permission on the mining (no ads).

      Your blanket statement is false as written, but Google and Cloudflare are pretending it's true. Google is in the ad business and Cloudflare is squarely in the ad distribution business, so both stand to lose tremendously if the Web doesn't remain ad-supported forever.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    2. Re:Alternative to ads? by mi · · Score: 1

      Kamrade, you are absolutely right! Revolution is the only solution to this problem. Workers will continue to be exploited as long as there are KKKapitalists alive.

      --
      In Soviet Washington the swamp drains you.
  4. Didn't see TPB doing this as a bad thing by SensitiveMale · · Score: 1

    I don't see the big deal about this as long as the site is up front about it. Who cares about a few CPU cycles compared to the onslaught of blinking ads and countless popups. Popups are the worst.
    So, if visiting TPB, or some other site, means an ad-free experience with a small spike in CPU use, I'm all for that.

    1. Re:Didn't see TPB doing this as a bad thing by Baron_Yam · · Score: 1

      > Who cares about a few CPU cycles

      Script miners are very inefficient to start with, and for all the cryptocurrencies I am aware of, more mining means lower efficiency. There is a very strong motive to max out your CPU because no matter how hard they peg the needle, they're not really getting much from you and the power costs them nothing.

      Are you really OK with the same people who are OK with pop-ups, pop-unders, uncloseable window cascades, fake AV warnings and more - are you OK with them deciding how much of your CPU is OK to appropriate?

    2. Re:Didn't see TPB doing this as a bad thing by SensitiveMale · · Score: 1

      Are you really OK with the same people who are OK with pop-ups, pop-unders, uncloseable window cascades, fake AV warnings and more - are you OK with them deciding how much of your CPU is OK to appropriate?

      100%. (Get it?)

      Seriously, absolutely. Who cares? So I go on some site and they peg my CPU for two minutes. Doesn't cost me a dime because my CPU is working anyway. I'd trade that for 20 ads, 3 pop-ups, and a pop under.

    3. Re:Didn't see TPB doing this as a bad thing by Baron_Yam · · Score: 1

      I get that you don't understand a lot of computers - including pretty much every laptop - will engage in a lot of power saving that goes out the window with a CPU spike.

      I get that you don't understand that a lot of people don't want their OS to become unresponsive just because they're visiting a particular site.

      Mostly, though, I get that you have no clue that ad blockers exist.

    4. Re:Didn't see TPB doing this as a bad thing by SensitiveMale · · Score: 1

      I get that you don't understand a lot of computers - including pretty much every laptop - will engage in a lot of power saving that goes out the window with a CPU spike.

      Oh no. Not that. Anything but that. Why, it's best to just through it away after it.

      I get that you don't understand that a lot of people don't want their OS to become unresponsive just because they're visiting a particular site.

      The CPU can spike without dropping the whole OS to a standstill. Exactly how stupid are you? Do you think that's exactly what's going to happen every time? People will be fine with something as long as it doesn't impact them. Snagging a few CPU cycles won't. Ads will. As with everything, this will get more efficient and better implemented.

      Mostly, though, I get that you have no clue that ad blockers exist.

      Don't run an ad blocker on the browser. I run pi-hole which does everything for me.

      Anyway, many sites need income to survive. Ads are an option. If I'm given the choice to either see ads, some ads, watch some sites go away, put behind a paywall, or simply have that site take a few CPU cycles that I'm not using and only while I'm there, I'll go with the latter.

      Mostly, I get that you're an ass. Mostly.

      Nah, total condescending ass. Yeah, that's it.

    5. Re:Didn't see TPB doing this as a bad thing by thejynxed · · Score: 1

      Except in many cases now, it's not just the primary site running a single CoinHive script, but by multiple instances of it being run by every third-party site with JavaScript loaded on the page you're visiting.

      This shit needs nipped in the bud.

      --
      @Mindless Drivel: 100% of Twitter posts ever Tweeted.
    6. Re:Didn't see TPB doing this as a bad thing by SensitiveMale · · Score: 1

      As long as it's optional and used how they say it will be, i'm perfectly fine with it.

    7. Re:Didn't see TPB doing this as a bad thing by SensitiveMale · · Score: 1

      Some of us leaves tabs open for days in the background. I'm going to be extremely pissed if I find out one of those sites has been stealing additional resources (yes, they are actually stealing now since it's something you no longer have and they took without asking: CPU, battery, heat, less time, etc..).

      But they are asking. No, it's not stealing.even if it's something you no longer have. Rather than go into Megahertz and such, let's just say my CPU can execute 100 clock cycles per second. Now, if my computer only uses 20 in that second, I haven't "lost" 80. Nor can I store them to use later. So, if I have a choice to give some site 30 cycles a second, then I'm not losing anything.

      If you know some cite is doing that and you decide to leave that tab "open for days" well, that's your choice.

      Expect the next iteration of this to launch DDoS attacks against other sites.

      Again, as long as it's open, I don't see a problem.

      How about I go around and hack into your wi-fi and use it while you're sleeping? It isn't costing you anything...

      They're not hacking and it's only occurring when I'm at the site so your example is rediculous.

      But if I wanted to play along, if some site said "If you agree to share some of your bandwidth, we'll let you watch this streaming sports event for free and without ads" I'd accept that in a heartbeat.

  5. Cloudflare must die by ptaff · · Score: 2

    Cloudflare must die. It's the ultimate cross-site tracking MITM — worse than ads and pixel beacons because there's no way around it — and its CAPTCHA mechanism makes Tor browsing a PITA.

    1. Re:Cloudflare must die by thomst · · Score: 1

      ptaff (who has a really low /. ID number) thundered:

      Cloudflare must die. It's the ultimate cross-site tracking MITM — worse than ads and pixel beacons because there's no way around it — and its CAPTCHA mechanism makes Tor browsing a PITA.

      Can't sat as I've run into any CAPTCHA challenges using TOR. Then again, I only use TOR to access TPB when some media company is paying Indian hackers to DDoS it on the non-TOR web, so what would I know?

      OTOH, I had to deal with CAPTCHAs all the freakin' time when one or another shitbag bot herder was hiding behind VPNUnlimited's San Francisco proxy. I entirely understood, though. If Cloudphlegm hadn't made life difficult for VPNUnlimited's other customers (like me, for instance), they wouldn't have had much incentive to identify and ban the bot herder ...

      --
      Check out my novel.
    2. Re:Cloudflare must die by tepples · · Score: 1

      Which CDN would you recommend to use instead of Cloudflare to mitigate request bursts and DDoS?

  6. Coinhive by b1ffster · · Score: 1

    I thought TPB (and proxies) were 'trying it out'. They appear to still be 'trying it out' weeks later. Malwarebytes (full version) already blocks them so meh!

  7. Publishers unwilling to take my money by tepples · · Score: 1

    What about providing something to help cover the costs of creating content you consumed?

    For one thing, the act of viewing a work of authorship does not consume the work.

    For another, publishers often don't even want to take my money. Where's the lawfully made region 1 or all region DVD copy of the film Song of the South, the film Pinocchio and the Emperor of the Night, or the TV series Spartakus and the Sun Beneath the Sea (the English language dub of Les mondes engloutis)?

  8. How many subscriptions should one maintain? by tepples · · Score: 1

    To how many websites do you expect the median web user to maintain a subscription in any given month? For example, if the top ten results on Google Search for a given query are all subscription sites charging $4 per month, how many people would you expect to pay upwards of $20 to sample the majority of the results from a single query?

  9. Re:Had been considering it by tepples · · Score: 1

    Plan was to display site monetized by borrowing some cpu cycles

    That plan wasn't viable to start off with for one reason: Good luck getting a lot of revenue mining on the dinky little ARM in a pocket mobile computer.

  10. Adult Check: Grown-ups can pay for nice things by tepples · · Score: 1

    I'd like a subscription to the Internet, please.

    That's what people think they're buying when they pay $60/mo to Comcast.

    In the late 1990s, there was actually a service like that: Adult Check. A subscriber could pay $10 per month for access to all participating publishers' sites, and publishers would earn a commission based on page views. But nowadays, each publisher wants its own separate subscription. If the top 10 results for a Google Search query all want $4 for a 30-day subscription just to view one page, how is a viewer supposed to build a rounded picture of an issue by comparing articles from multiple sources? Just picking one site and preferring articles from that site "because I already subscribe" puts a reader into the filter bubble of that site's point of view.

    1. Re:Adult Check: Grown-ups can pay for nice things by gnick · · Score: 1

      If the top 10 results for a Google Search query all want $4 for a 30-day subscription just to view one page, how is a viewer supposed to build a rounded picture of an issue by comparing articles from multiple sources?

      By viewing ads.

      --
      He's getting rather old, but he's a good mouse.
    2. Re:Adult Check: Grown-ups can pay for nice things by tepples · · Score: 1

      How is that possible while respecting viewers' privacy? As far as I'm aware, most web ads are served through a third-party server that not only serves ads but also builds an interest dossier based on tracking each viewer's request history across multiple websites. I guess websites could fall back to self-hosted ads when the browser fails to connect to the tracking server, but I haven't seen a lot of sites whose coding is smart enough for this sort of ad replacement.

      In addition, sites end up playing the "Ads alone don't pay enough CPM to keep our writers fed" card.