Slashdot Mirror
The Internet Is Ripe With In-Browser Miners and It's Getting Worse Each Day (bleepingcomputer.com)
Catalin Cimpanu, reporting for BleepingComputer: Ever since mid-September, when Coinhive launched and the whole cryptojacking frenzy started, the Internet has gone crazy with in-browser cryptocurrency miners, and new sites that offer similar services are popping up on a weekly basis. While one might argue that mining Monero in a site's background is an acceptable alternative to viewing intrusive ads, almost none of these services that have recently appeared provide a way to let users know what's happening, let alone a way to stop mining behavior. In other words, most are behaving like malware, intruding on users' computers and using resources without permission. [...] Bleeping Computer spotted two new services named MineMyTraffic and JSEcoin, while security researcher Troy Mursch also spotted Coin Have and PPoi, a Coinhive clone for Chinese users. On top of this, just last night, Microsoft spotted two new services called CoinBlind and CoinNebula, both offering similar in-browser mining services, with CoinNebula configured in such a way that users couldn't report abuse. Furthermore, none of these two services even have a homepage, revealing their true intentions to be deployed in questionable scenarios.
Is there a way that someone could write a browser plugin that returns wrong/garbage results to the crypto mining command and control server, rendering entire massive calculation trees wrong and useless and destroying their scheme?
Ideally a way to enable/disable per site so that sites that ask permission can be granted on a case-by-case basis.
No? Then this is the same discussion we had decades ago about ads and it will end up in the same way.
If you go to a site, then you give it explicit permission to use resources on your computer. Whether that resource is doing stuff on the Internet (AJAX) or doing stuff on your computer (mining).
A user can control your computer though, they can limit the amount of cycles a website or browser gets to spend, block JavaScript, block whatever resource they want. In the end, the user is letting them do this and once sites see that it's costing them more money than it profits (when people stop visiting the "slow website") they'll learn.
Custom electronics and digital signage for your business: www.evcircuits.com
You don't want things loading in your browser session that are doing things you don't want them to do.
But couldn't this be said about any code on a website? When you go to the page, you're loading whatever JS, Flash, etc that is on their site. You're the one going there, it isn't anything malicious.
What's the difference between this stuff, and say someone using uncompressed images that suck your bandwidth excessively? Is the only difference, that they may be profiting from this slightly? If so, why is that bad, when most sites need to show you some ad, sell you something, etc to be profitable?
I believe the word the author was looking for is "rife" as in filled with/replete with.
Just another reason that add blockers like uBlock Origin are mandatory. I also browse with a JS dynamic switch so I can kill JS with a button press for obnoxious sites.
If you disagree, please post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like
"As an alternative to ads, we are testing out in-browser cryptocurrency mining as a means to fund our website. If you prefer our ad-supported version, click here" and see how many would actively choose ads. I mean if this is a functioning micro-transaction system I think it's got much less downsides than almost every other possible alternative, particularly that you don't need any kind of payment info or personal data. If it's any kind of site where you have an account you could have like points and build up a sort of credit you'd "pay" with to read articles and so on.
Live today, because you never know what tomorrow brings
I presume these are using web workers as they don't lockup the UI? How many legitimate uses of web workers are there, couldn't we just disable them?
Maybe w3c should drop them from the browser spec entirely.
Even more reason to disable Javascript.
While I agree with that sentiment, I have to wonder why this is such a big deal?
Assuming that mining is not actually harming me or my computer - destroying files, or leaking my information to someone - why should I care? If I visit a website and read an article, maybe a minute of my time, my computer is otherwise idle and the amount of energy spent is negligible.
We've always wanted a way to monetize visiting a site, could this be a way to do it?
Suppose we had a service where people could submit computationally intensive problems which can be broken down into smaller computational units. Such as "folding at home" or "seti at home".
The answers to some of those problems could be valuable, so we could imagine research institutions paying money to use the system to solve those problems, and pay out based on the amount of computation a website brings in.
This is proportional to the number of users who view the website, and for how long. This could be a user-friendly alternative to advertising.
In fact, one can imagine the *government* paying money to use the system as a make-work program: it would encourage people to make better, more meaningful websites overall. Would the sociological benefit outweigh the extra costs?
(Assuming that people don't game the system, but it seems reasonable that we could learn all the gaming techniques over time and avoid them. Sort of how we deal with advertizing clicks currently.)
I don't see what the problem here is, and look at it as an opportunity.
Could this be a user-friendly way to monetize a website, as an alternative to advertising?
This "problem" is so exaggerated it's becoming annoying to hear about it again and again.
First of all, most respectable websites will never do anything like that. Secondly, shady websites which do host mining JavaScript are not normally visited by most people and the ones who visit such websites usually leave them quite fast, which means bad scripts can only run for a very limited amount of time. Thirdly, we've always had websites which peddle malware and somehow they stopped being newsworthy years ago. All of a sudden, they are again in the news.
Fourthly, we now have "good" websites which stress your CPU so much they can be considered "harmful". What about ad networks whose JS tax your CPU? Why aren't we talking about them?
Last time I checked, websites weren't getting explicit consent for user data-mining either.
Yes they are. Private Browsing in Firefox does two things related to data mining: it turns persistent cookies into session cookies, and it doesn't connect to third party tracking services. "Disable protection for this site".
That assumes a website is not doing both ... in that case then fuck them all to hell.
They'll do both, arguing that doing both has precedent. Magazines, newspapers, and multichannel pay television rely on combined revenue from ads and subscriptions because they can't pay their writers with one or the other alone.
It's parasitic and hidden, but to believe that an opt-in checkbox equates to being "in the clear" - hell, that op-tin being offered at all is supposed to be par for today's commercial atmosphere - is awfully naive.
In fact, this "hidden" behavior? Is still transparent relative to the shit being done with various fingerprints/useragents, with the hundred different metrics possible on your phone. To say nothing of you unfortunate souls with accounts on facetweet and socnets.
It's almost refreshingly simple. They're mooching your CPU, your electricity, but the intent is plain, the motives obvious. Compare it to the clusterfuck, the rat-king of trade-and-parcel done with your credit info/score/history/etc. We're oblivious to the amount of closed-door behavior going on around us, of how many databases end up hooking a single instance of you flashing your insurance card to get a painkiller or flu shot, or a scratch on the car.
Again, it's unscrupulous, yes, but "shady"? Consider that word and apply it to the shady pickpocket who grabs your $20's and throws your wallet on the sidewalk, versus the shady cartels running our world, ISPs and Muh Big Pharma and all our good friends trashing the atmosphere/soil/rainforest/aquabeds/whatever without a moment's hesitation, global-scale behaviors behind purchased laws, behind NDAs, behind agreement named with so much obfuscating euphemism you think it benefits consumer proles. Go ask a stranger what "net neutrality" is.
Christ, you can probably stop these scripts with a browser mod or two, or a greasemonkey. Five minutes of placement. While if you fuck with your registry and hosts file maybe you'll get (most of) win10's bullshit to stop showing up on wireshark.
I'd probably prefer a silent miner (esp. if throttled to polite levels) over the butterfly dominoes from an ad watched by DoubleClick, with a facebook pixel watching. Submission is stupid about what he can hope for, naive, thinks an ad is just "Buy my book" and done. Thinks clicking "don't send me emails" is a win.
Not an apologist, just mentioning perspective.
Javascript is not only a theoretical security problem, it's one that's very commonly exploited.
What exploits are you talking about here?
"First they came for the slanderers and i said nothing."
https://www.ovoenergy.com/guid...
Let's go with U.S.A. electricity prices since they're more or less in the middle.
Let's also say you have a higher-than-average computer, with an Intel Core i7 3970X Extreme Edition at 150W.
12 cents for one kilowatt for one hour. 150W means 0.018 cents per hour. 3600 seconds per hour, so USD$0.018 / 3600 = 0.000005 cent per second.
Let's say you're generous and let them mine on your computer for ten minutes. That's USD$0.003, less than half a cent.
Yes, damn those damn crypto-mining scripts! I let my guard down for a whole 10 minutes and they cost me less than one-third of a cent! And that's if crypto-mining actually was able to draw 150W from your CPU, using all cores at 100%.
So in the grand scheme of things, what would you prefer:
1. Ads that requires multiple address lookups, slow down your connection, add more delays for viewing the actual content you're trying to read and just be totally annoying to look at, distracting you and preventing you from reading?
2. Crypto-mining in the background, a single thread of our multi-core processors, at maybe 20~50% capacity of that one core out of two/four/eight+ cores?
#DeleteFacebook
I don't want to have to disable Javascript.
That would be bad.
What I want to have to enable Javascript. If I feel like it. If it seems like I'm missing out on something.
Does slashdot stress out ad blockers or what? Why not have ads that don't require Javascript? If the ads are too many then I just won't come back.
What if browsers severely limited the amount of execution time Javascript had to set up event handlers on controls in a business application. Then also severely limit the execution time of those event handlers -- exclusive of the time it takes for an event handler to make a limited number of ajax calls to the page's originating server. Would this idea limit the bitcoin mining abuse, while not constraining real applications?
I'll see your senator, and I'll raise you two judges.