Slashdot Mirror
Google Engineers Explore Ways To Stop In-Browser Cryptocurrency Miners in Chrome (bleepingcomputer.com)
An anonymous reader writes: Google Chrome engineers are considering adding a special browser permission that will thwart the rising trend of in-browser cryptocurrency miners. Discussions on the topic of in-browser miners have been going on the Chromium project's bug tracker since mid-September when Coinhive, the first such service, launched. "Here's my current thinking," Ojan Vafai, a Chrome engineering working on the Chromium project, wrote in one of the recent bug reports. "If a site is using more than XX% CPU for more than YY seconds, then we put the page into 'battery saver mode' where we aggressively throttle tasks and show a toast [notification popup] allowing the user to opt-out of battery saver mode. When a battery saver mode tab is backgrounded, we stop running tasks entirely. I think we'll want measurement to figure out what values to use for XX and YY, but we can start with really egregious things like 100% and 60 seconds. I'm effectively suggesting we add a permission here, but it would have unusual triggering conditions [...]. It only triggers when the page is doing a likely bad thing."
An earlier suggestion had Google create a blacklist and block the mining code at the browser level. That suggestion was shut down as being too impractical and something better left to extensions.
An earlier suggestion had Google create a blacklist and block the mining code at the browser level. That suggestion was shut down as being too impractical and something better left to extensions.
Website forbidden. Please disable your cryptocurrency mining block and reload the page.
Most web surfing involves text, images, and perhaps video in a well-defined box. Anything else is generally crap that doesn't benefit the surfer.
I'd say rather than a percentage of total CPU utilization, they ought to be measuring against a percentage of the browser's CPU usage. Any non-whitelisted script that is taking more juice than it would take to render a straight text-and-image page can be throttled to zero, in my opinion.
Since EME is a standard in web browsers across the line, all I do is just use that to obfuscate my miner jobs running. Easily bypassed.
Disable Javascript. There's no reason not to.
High cpu usage blocked? Wait, so Facebook won't load?
Company threatened by emergence of a new model of online compensation uses control over existing infrastructure to severely limit its penetration into the market.
Big surprise.
Background browser windows get ZERO cpu. Unless you tick the little box that says 'keep active' or something.
And it needs to default to off.
Or just keep running old firefox with noscript. aint broke don't fix it.
This will kill all the bloated web apps my clients demand I write for them.
Please no.
With a global preference and a per-site override, let us limit the CPU-time that a site can use. Even an absolute crawl should be enough to do DOM and CSS updates, and we can give "productivity" sites more CPU time if we want.
What if I want to use my browser for mining? The means already exist to block specific scripts.
Will Slashdot management pledge to never do this sort of in-browser mining on this site?
Will Slashdot management also ensure this pledge is irrevocable, and will thus be imposed on any future owners/operators/management of this website?
The problem with this method is half the web already acted like it was running a crypominer before these things even showed up.
This would be a brilliant business strategy! No ads, clean uninterrupted browsing, they just get some CPU cycles from you. Most people wouldn't even notice the difference or the cost. I would do it not to have to look at ads. This could destroy googles hold on ads and the new revenue stream for the internet. They should just let the user know whats going on and BAM!
I've been manually accomplishing the same thing with Quick Javascript Switcher to turn off JS on sites which abuse it, and The Great Suspender to freeze background tabs.
I also keep Windows Task Manager's CPU graph in the notifications bar so I can see if my computer isn't dropping to idle. That's what originally led me to start using The Great Suspender. Although in my case it wasn't crytocurrency mining scripts, it was poor coding on Google's Photos and Drive websites which kept chewing up CPU cycles in the background.
Miner scripts will just dial it back to 50% CPU usage or whatever threshold chrome sets.
Chrome is a browser. We live in an age where some people (notoriously Google) think browsers needs to run full fledged apps in a sense they must take advantage of modern processing power. That is just wrong - websites are nowadays supposed to be much more technically sophisticated, and yet, consequentially much LESS demanding with things like the quai-extinction of flash and the advent of HTML5. In any case, 100%, or even 20% is not uncommon on "harmless" websites and this would induce in many false positives, many more than can be tolerable by any non-savvy user and this egregious, overzealous measure would still fire back.
I would also argue that there are more idely available paramters than CPU/GPU load to infer activity on tab X as distributed processing - frequent/constant outbound communication for instance, packet sniffing (you know, like ISPs do for traffic shapping) or identifying very specific calculation traits going on the local logical units. There are ways that, much like an antivirus, can detect suspicious behavior, patterns of processing other than raw usage, and it doesn't take a genius to figure those out.
Given this, don't be egregious from the start, but be incisive. I bet there are capable enough minds at Google that can easily discern many more and much less abstract ways for doing this than I described.
Chrome will be the new IE6
There's a documentation hub for a service out there that I noticed using 100% of one CPU core on my laptop, whenever I had a page open on it. Didn't matter whether the tab or Chrome window was foreground or not. I dug into it, and found a CSS spinner sitting underneath a Google translate button. I'm thinking the page designers wanted a spinner to show if that button took a while to load. But they designed it in CSS; it kept running forever, even after the button loaded; and it used 100% CPU. Having a built in defense against this kind of stupidity or malice would be awesome.
One answer is to have a simple way for the user to disable javascript in a browser - WITHOUT THE NEED TO INSTALL ADDONS.
But most users have no idea what that does and it would break most websites.
Many websites depend on ajax.googleapis.com as well as others. There are addons that put have these common javascripts be local (such as Decentraleyes) for the purpose of privacy and not calling home to google for virtually every site you visit.
But if this is part of the browser (and made open source), you can browse a larger chunk of the web without additional javascript.
I read it as: Google Engineers Explore Ways To Stop In-Browser Concurrency in Chrome
How about blocking autoplay video? That shit is way worse than a miner.
You can tell how powerful someone is by the magnitude of the crime they can commit and be able to get away with.
I'd never go back to that site.
So how will you deal with the frustration when you find that the majority of the top ten results from a particular web search query come from that site and others like it? It becomes tedious to add a dozen or more -site:domain.example terms to every single query. Google Search used to allow blacklisting a domain, but this feature has since been permanently discontinued. I found some promising browser extensions for users of Google Search on select desktop browsers:
Google Chrome for desktop Personal Blocklist Firefox 56 or later Personal Blocklist (not by Google) Firefox 52 ESR or Firefox 56 Hide Unwanted Results of Google SearchBut what works for Chrome for Android, Edge, or Safari? Or for DuckDuckGo or Bing?
Chrome will be the new IE6
Yes! my css code will work, at last!
Slashdot, fix the reply notifications... You won't get away with it...
As I understand it, EME provides a controlled interface to a Content Decryption Module (CDM). A CDM can obfuscate only audio and video decoding and output, not any process whose output the script can directly monitor. If you have a proof of concept of Monero mining in a well-known CDM, such as Widevine, Primetime, or PlayReady, I'd like to see it.
This is exactly the kind of thing I told you was going to happen yesterday and yet, only +3 Insightful.
Anons need not reply. Questions end with a question mark.
Javascript rears its ugly head.
Turn that shit off, and breath easy.
It already kind of is. On the desktop, Microsoft was actually their main competitor. But then Microsoft launched Edge and like most new Microsoft products it was a crushing blow to Microsoft:
2 Years ago, MS still held an incredible 50% of desktop browser share:
https://www.netmarketshare.com...
Now, they are down to 20%
https://www.netmarketshare.com...
Despite being literally shoved into users faces, the introduction of Edge didn't draw users away from Chrome. No, it seemed to send IE users running to it instead.
Chrome now has a commanding presence on desktop and we've already seen Google start to flex their muscle a bit in the same way Microsoft did when they controlled the world with IE. Make no mistake, Google has nowhere near that level of stranglehold but since the vast majority of browsers are Chrome they are the big dog now and they can get away with a lot biting.
that kind of measurement system would mistakenly assume that all CPU intensive pages were a problem. that ain't the case. thus, tons of false positives requiring authorization and white-listing.
This is actually an excellent solution even for "valid" websites which misuse shady ad networks and contain otherwise bad JS code (for rendering/user interaction/ajax/etc). I just want these variables to be configurable, i.e. >=5 seconds of more than 70% 1 CPU core usage and the tab gets throttled.
The massive pegging of CPU is hardly new. There have always been terrible websites - many of them video ones - which for various reasons, such up as much CPU as they're able to, bringing the machine to a crawl. Most of them are video related, including flash (it was notorious), and - in its early days - YouTube. The worst are those that call functions of code you had to install natively.
The problem is that most browsers give absolutely no indication that this is happening, leaving the user to wonder why his PC is slow. Yes, you can do a top/task-manager/activity monitor to figure out what is going wrong, but even if you're that sophisticated, you often end up having to kill the entire process simply to stop one errant thread. This never works for unsophisticated users.
In a sense, this is quite a bit like the "where the hell is that audio coming from?" problem in browsers, except that it isn't even that obvious. What is really needed is for browsers to forcibly sleep threads of background windows for 90% of their time. (Don't just lower their priority; that doesn't work.) Also, if a thread demands CPU constantly, put a pattern on the tab and shake it back and forth. That will let people know when some errant javascript is taking up your CPU horsepower.
Unless you want to put a "virus checker" or an AI inside of the browser to figure out what code is doing, trying to just filter based on what code is doing isn't going to work. There are too many ways to disguise these kinds of calculations. Focus on the ultimate effect.
Yay, a builtin Google+ blocker. Finally we will not have to endure overheated machines and Google+ using 100% CPU for minutes anymore :)
Let a hundred extensions bloom!
Let extension developers deal with the problem.
Once a great approach is identified, bake it in all browsers.
A monolytic company (and specially one like google, which lives of adds) is not the best blace to come with a solution, let alone a great overall solution
*** Suerte a todos y Feliz dia!
See subject & best option right now is to block known Bitcoin mining domains. One of the better options to do that is to add these to the hosts file of the operating system so that these domains redirect to localhost" https://www.ghacks.net/2017/09... Martin Brinkman - GHacks
+
"... use this classic Windows hosts trick to block the Coinhive or Crypto-Loot domains at the OS level" - https://www.bleepingcomputer.c... BLEEPING COMPUTER
* Via APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/
APK
P.S.=> Accept NO substitute for more speed, security, reliability & anonymity online that does FAR more for FAR less vs. other "so-called 'solutions'", natively w/ what you already have in a hosts file - NO other SINGLE competitor does as much (& competitors many times more complex + exploitable also)... apk
It's not desktop muscles they're flexing (yet). It's search. How fast websites render in Chrome (okay, according to rules that totally happen to randomly perfectly align with Chrome) influences pagerank
Your ad here. Ask me how!
To associate 'cryptocurrency' with 'BAD' - malware, volatility, hackers, crime, arms dealing, porn, ransom....
Just look at the headlines. Just look at them.
This place is an absolutely insult to your intelligence.
I like going to Newegg and browsing through the specials in an image carousel. I like clicking 'reply' on slashdot and getting a box to reply in. I like thumbnail previews. I like menus I can browse without reloading an whole page. I like web mail that feels like a mail client. Heck, I like a responsive and modern web.
If you don't go run Lynx in X11. The rest of us will carry on living in 2017 and even 2018 when it comes along.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
real simple !script , wont upgrade browser until this plugin is supported
Perhaps Google is more afraid that this distributed computing model might compete with their fledgling Google Cloud computing offering. AWS already makes more money for Amazon than their retail sales business. If Google is going to compete, they are going to have to stifle distributed computing so that crypto miners will perceive a greater value in the Google Cloud.
$5 / month hosted VPS on linux = awesome!
Easy, they do it the same way I block Google's stupid ads, with uBlock.
While I actually like the idea of being allowed to choose whether to donate a few cycles or to watch ads - I would always choose to donate cycles (no privacy problem, no malware problem, no security problem, no tracking problem...).
HOWEVER, this will end poorly
This is because websites tend to be greedy. They won't go "either ads or cryptomining". They will go ads AND cryptomining. Just like cable TV.
Anyone caring about their computers health and data integrity should avoid google software. To me, the Google Chrome browser does not fit the definition of a web browser. Its "features" are invasive so I wouldn't recommend it to anyone for use on personal devices.
The problem here is that if I'm on a slow machine, long-running but perfectly legitimate scripts *will* be burning more CPU time and for longer than faster machines, but I suspect putting that page in this "battery-saver mode" will get triggered a lot more than intended. Unless it's so forgiving that you might as well not have it at all. Or it's actually rated in a way so the CPU's performance is taken into account.
Hosts protect where addons can't (or as well):
Bad sites (past ads)
Botnet C&Cs
DNS down or poisoned
Trackers (dns logs/ads/transparent ISP proxy)
Dns blocks
Spam/phish payload
Slowdown 2 ways: adblocks & hardcodes
Hosts = Ez edit.
AB+ 151mb https://www.google.com/search?q=Adblock+memory+consumption&btnG=Search&hl=en&gbv=1/
UBlock 64MB https://www.google.com/search?q=UBlock+memory+consumption&btnG=Search&hl=en&gbv=1/
Hosts~16mb
Addons = ClarityRay defeatable & crippled http://www.businessinsider.com/google-microsoft-amazon-taboola-pay-adblock-plus-to-stop-blocking-their-ads-2015-2/
NoScript tag parses. Hosts block script prior to it!
No 1 addon does as much.
Stacked addons slowup.
ADDONS = EXPLOITABLE https://news.slashdot.org/comments.pl?sid=11166303&cid=55266729/
APK
P.S.=> APK Hosts File Engine https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/
See subject & this article http://www.theregister.co.uk/2017/10/17/ublock_origin_csp_reports/
APK
P.S.=> It's actually BLOCKING security warnings & it shouldn't be (nor does the developer of UBlock intend to fix it apparently)... apk
>"If a site is using more than XX% CPU for more than YY seconds, then we put the page into 'battery saver mode' where we aggressively throttle tasks and..."
We should have already HAD this in ALL browsers. I suggested it for Firefox years and years ago. It isn't just cryptomining, but some sites have HORRIBLE programming with endless animation and crap moving and changing and calculating and re-loading things all the time. And who knows what is next.
If the browser IS the next OS, then regardless of the actual OS or browser, we need more controls in the browser to control resources.
Please let this happen!
Google isnâ(TM)t doing you a favor. Mining allows sites to pay for their operations without ads. Google wants to sell ad metrics and placement targeting to advertisers.
I donâ(TM)t care if someone mines when I visit their site. Why not? Itâ(TM)s a free resource for me. I need to hear my house anyway. I can control when it happens. I like it.
Google is afraid
Some drink at the fountain of knowledge. Others just gargle.
Stop allowing websites to fucking well run Javascript, problem solved.
Sorry, but Javascript is so horribly abused by analytics, ads, and other assholes that I simply block the shit out of it. No third party javascript should ever be allowed to execute. Most javascript is shit you don't need so some incompetent web designer can add flashy bullshit you don't need.
Like app permissions that phone manufacturers are reluctant to give us (because they profit from them), javascript needs far more user control ... but in the case of Chrome, Google is an advertiser and isn't going to cut their ability to run this shit.
But make no mistake about it, Google Analytics is one of the many parasites embedding javascript in most of the sites you visit.
The problem is the entire permission model of javascript is broken, as is the expectation that every site should be able to run scripts.
Me, I'll block your fucking ads, and I'll keep blocking your fucking javascript if it means you think you're going to use my CPU to mine coins. The internet as we know it is a shit hole of commercial interests and other douchebags. Between malware, ads, and shit like this, I refuse to feel guilty for blocking the means of shit like this.
If I have to trust everyone by default, or distrust everyone by default, there's no real choice there. Because ad companies are greedy assholes who I simply refuse to trust. I sure as hell am not going to trust them to run scripts.
Why does google get to decide and censor what JavaScript a website can run?
Google doesn't get to do so unless you use the Google Chrome browser or reach the website through Google Search. Both have replacements: Firefox and DuckDuckGo, or Edge/Safari and Bing.
60 seconds at 100% won't work. They'll just write the code to sleep for 1 second every 59 seconds.
Many web sites are loading thousands of Javascript modules which they often load from untrusted sites. What happens when someone starts sending patches adding a bit miner for their own account into existing code? That is happening right now.
ChromeGoogleAlphabet didn't feel the need to include ad blocking when ads are actual security threats, but mining - a direct challenger to their bottom line - warrants browser changes. Neat.
How does Edge go for downloading Firefox and Chrome? I used Internet Explorer for that on my current computer. (I can't think of a better use for a Microsoft browser.)
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
This would be great. I could throttle down Facebook from burning all my CPU and give the rest to The Pirate Bay to pay them back for all they've done for us.
- For the complete works of Shakespeare: cat