Slashdot Mirror
A Surge of Sites and Apps Are Exhausting Your CPU To Mine Cryptocurrency (arstechnica.com)
Dan Goodin, writing for ArsTechnica: The Internet is awash with covert crypto currency miners that bog down computers and even smartphones with computationally intensive math problems called by hacked or ethically questionable sites. The latest examples came on Monday with the revelation from antivirus provider Trend Micro that at least two Android apps with as many as 50,000 downloads from Google Play were recently caught putting crypto miners inside a hidden browser window. The miners caused phones running the apps to run JavaScript hosted on Coinhive.com, a site that harnesses the CPUs of millions of PCs to mine the Monero crypto currency. In turn, Coinhive gives participating sites a tiny cut of the relatively small proceeds. Google has since removed the apps, which were known as Recitiamo Santo Rosario Free and SafetyNet Wireless App. Last week, researchers from security firm Sucuri warned that at least 500 websites running the WordPress content management system alone had been hacked to run the Coinhive mining scripts. Sucuri said other Web platforms -- including Magento, Joomla, and Drupal -- are also being hacked in large numbers to run the Coinhive programming interface.
is so tired.
Come on! CNN doesn't need your titties!
After the amount of times the CIA did similar meddling in foreign governments, your country has no fucking right to complain.
We have a right to defend ourselves against traitors like Moscow Donald.
You can complain about America's past sins all you want, and some of those criticism are quite fair but:
Would you really rather have your country in the orbit of Russia's pervasive corruption, or be associated with the United States, which makes it a crime for their own citizens to bribe foreign government officials?
Slashdot keeps mentioning this. Are you considering adding this to the website? That would be cool!
This might remind people how weird it is that they run software automatically downloaded from arbitrary foreign sources all the time on their personal computer.
If people still knew how to write HTML, almost no web site would need to use any "JavaScript" or other "active content", with all the security issues this implies.
They are not! Because I'm not a big enough idiot to run javascript from anybody who happens to offer it.
How many cell phones would you need to commandeer, and for how long, in order to successfully mine a Bitcoin using JavaScript?
It seems like trying to boil the ocean by stealing cigarette lighters...
I don't care if it's 90,000 hectares. That lake was not my doing.
The miners caused phones running the apps to run JavaScript hosted on Coinhive.com
I wish my browser let me do this: Disable JavaScript in general. When I need JavaScript, tell my browser to enable it for a particular website that I'm displaying, this time only. When I close the browser window or tab for that website, then JavaScript is again completely disabled.
That would keep JavaScript from other websites from running without my knowledge.
I doubt enough browsers support the fancy animations that PHB's love so much: wiggly throbbing bouncy controls. They want the UI to behave like the breasts they get slapped for trying to touch.
Eye-candy sells and the silly humans fall for it. Proverbial books continue to get judged by their covers. Good luck fixing human nature.
Table-ized A.I.
If people still knew how to write HTML, almost no web site would need to use any "JavaScript" or other "active content"
How would, say, a web-based front-end to an IRC server work without script? It needs to know when messages have arrived in order to display them. The same is true of a multi-user whiteboard, which needs to know when another user has drawn a stroke. In addition, server-side image map doesn't support drag input, only click input.
Or should those instead be native executables that a user can download, install, and use? If so, then because native executables are generally specific to one operating system, Murphy's law holds that such an application will inevitably be designed for an operating system other than the one your device regularly runs. And it's still "software [manually] downloaded from arbitrary foreign sources".
Or should real-time interactive applications instead be written for the Java Virtual Machine or the .NET Common Language Runtime? Even though one such executable can run on multiple desktop operating systems, it still generally excludes iOS and Android, and it's stlil "software [manually] downloaded from arbitrary foreign sources".
Whether crypto-mining or not, some pages seem to use a disproportionate share of cpu time for the content they're delivering. Some form of cpu usage indicator per tab would be helpful, similar in vein to the speaker icon on tabs that produce sound.
and it's an i5-7500. Not only does it have plenty of headroom on processing but even if I'm running Burn in Test it doesn't get above 40 celcius on a CPU that could comfortably hit 70 for the next 20 years. The electricity cost is negligible too.
I can't even get that worked up about this stuff on my cell phone. I don't generally browse on it for hours on end. Maybe if I used a tablet I'd care, but as it stands this is kind of a non-issue. What surprises me is the amount of white hot rage over it going around the net. I think it makes people feel like marks that they're not getting their cut, nevermind that they got their cut when they consumed the content on the site (assuming they weren't tricked, but then we're talking mal-ware, which is a whole 'nother discussion).
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
We live in some strange times, where thieves are trying to steal CPU cycles from our devices. Just wow, who would've ever thought this would ever be a thing?
On another note, I think I might have stumbled across a site doing this and it's pretty annoying, browser goes very slow.
No you should complain about it and take efforts to stop us. Just as we certainly should punish Russia
I'm sure that Putin would agree might makes right and we're by far the mightiest.
Does anyone remember the person that deleted the small JavaScript file and brought down so many big sites because they were loading it from his site instead of having a copy on their own site? I think it was to justify text. It was only a couple of lines.
You need to find a function that is popular like that and is loaded from a central server. Once you have identified one then find a way to change it so that it gets the browsers to mine cryptocurrency. Probably don't want it to spike the CPU usage as it would give it away.
Bad word choice is bad.
The electricity cost is negligible too.
The price of electric power depends on where you live. And in a lot of places, people have to pay twice for electric power: once to run the computer and once to run the air conditioner that moves the heat generated by the computer to the outside.
nevermind that [viewers] got their cut when they consumed the content on the site
Why do people keep referring to viewing works created by others as "consuming" them? A work isn't "consumed", or used up, in the act of viewing it.
Google is classifying Coinhive as a threat to it's advertising business, it's safer than ads for the end user. Many websites are running with this narrative, why?
https://f-droid.org/packages/#q=IRC
You do know this link doesn't work if client-side script is turned off, correct? Without client-side script, the server cannot see the fragment identifier (the part after the #, in this case q=IRC), and the document behaves as if you had navigated to https://f-droid.org/packages/ itself.
With all the garbage that most sites want to run on our CPU's to serve ads and do all sorts of tracking why is crypto currency mining any different? Every sinle page that you hit on the internet has TONS and TONS of javascript crap that wants to run. All of this nonsense wastes our CPU power for the benefit of the site we are using. Is it just the direct revenue that we are offended by all of a sudden? Tracking code profits them directly. Offloading tasks onto your machine that should be done on their web server profits them directly by allowing them to run a smaller footprint of less powerful servers.
If you want to stop this nonsense install a javascript blocker. Noscript and adblock plus are great add ons that will improve your browser experience. For those sites that have ad block blockers? Fuck them. I hit the back button and never go to those sites. There's millions of alternative sites out there to get the same information who's not going to be tacky about a user putting their foot down to what's run on their system.
Web designers really need to think about all the javascript garbage that they are packing their pages with and how their users are just going to start blocking them. I browse the web on a 5ghz i7700k with 64gb ram. I still don't want this bullshit slowing down my experience or wasting my electricity running tasks for the benefit of a for profit business.
I'm actually glad people are finally using this for more nefarious purposes. It's going to get us visibility into an issue with the web today. This is an out of control wild west practice that needs to be curbed. If more users start using noscript designers will need to think twice before packing their pages full of crap.
BTW for you web designer assholes. I'm GLAD that blocking all your garbage causes you issues. I'm glad it costs you directly in your ad revenue and I'm glad that your web statistics are not accurate. Fuck you people and your abusive use of my computing resources.
I would rather that you got your fucking nose out of my business. Please tell me how US interference is somehow better than Russian interference in my own private life? Thanks.
US interference advocates for democracy, transparency, anti-corruption, and a free press. This is good for you, and for your country.
Russian interference makes your entire government dependent on corruption which flows through Moscow. Government repression is encouraged.
In case you haven't noticed, the kind of corruption Russia brings to countries is disastrous for their people and their government.
In short, while the US makes mistakes and occasionally elects a war monger or a traitor, we tend to strive to do the right thing, and when we are wrong as we admit it and try to do better.
Russian interference makes your entire government dependent on corruption which flows through Moscow. Government repression is encouraged.
So tell the rest of the world again about Citizens United and how america hasn't institutionalised corruption? Legalising bribery doesn't mean it isn't morally reprehensible.
Russia may be a sack of shitheels but at least they don't pretend their bullshit is on the level.
That's completely incorrect. Virtually all network clients can run unprivileged and so can be installed and run in the current directory, even by a guest. In fact that's nearly true for network server daemons as well, except for the fact that services generally need to bind to a privileged low-number port and that's the main reason why they normally require system privileges. But even the server-side applications can be installed and run without special privileges if you tell them to bind to an unprivileged port.
This is a general property of network applications, which is the opposite of what you claimed. Furthermore, because IRC daemons bind to a high port anyway, typically 6667 or 6697, there is no reason why they need to be installed by the administrator or root at all.
Type "about:performance" in any recent Gecko web browsers (e.g., SeaMonkey and Firefox)'s URL form to show for a top type view. I would also like to see a tab version like its audio.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
The Obama administration fought hard against that decision, and ultimately lost. Compare to Putin who imprisons his political opponents.
America is a roughly level system making mistakes while slowly moving in the right direction, with occasional lurches in the wrong direction like Citizens United and Trump / Russia.
When the US invaded Iraq on false pretenses we next elected a President to pull us out even as it weakens our position in that country. Disaster followed by altruism is better than the repression and corruption that Russia spreads with its influence.
"When the US invaded Iraq on false pretenses we next elected a President to pull us out..."
And yet the war wages on even though Mr. Peace had two terms.
I doubt enough browsers support the fancy animations that PHB's love so much: wiggly throbbing bouncy controls. They want the UI to behave like the breasts they get slapped for trying to touch.
And to think, if only they grabbed by the pussy they'd be fine.
US interference advocates for democracy, transparency, anti-corruption, and a free press.
You really do believe that, don't you? I'm out of words here...
I'm sorry, but i am very confused and perhaps you can assist.
When the US government overthrew a democratically elected leader to protect the profit margins of "United Fruit company" how was that advocating democracy? isnt that the definitino of corruption?
https://en.wikipedia.org/wiki/1954_Guatemalan_coup_d%27%C3%A9tat
> US interference advocates for democracy, transparency, anti-corruption, and a free press. This is good
> for you, and for your country.
ROFL. American interference is to push corporate agendas. America is completely comtrolled by corporate interests.
I don't give a shit about you and yours. I give a shit about me and mine. Even a drunk Ruskie should be able to figure that out.
And why are you all responding to this obvious and unsophisticated tRoLL?
This is why we can't have nice things, idiots like you.
US interference advocates for democracy, transparency, anti-corruption, and a free press. This is good for you, and for your country.
Is that so? Well, let's see what US interference got some countries.
There is for example Augusto Pinochet, the veritable epitome of freedom and democracy. That the CIA installed him after eliminating Salvador Allende, the democratically elected president of the country, shouldn't faze you. That Allende must have been some kind of Commie for sure.
Or how about Shah Reza Pahlevi, who was installed after some idiot dared to nationalize the oil fields in Persia. Old Reza put our oil back into our hands ("our" being us westeners, of course) and in return we gave him the fourth largest army on the planet. He was a bit of a despot, though, but that's secondary.
Maybe Manuel Noriega? Yes, believe it or not, that once was our buddy. Before he tried to actually think for himself, then the US quickly removed him. But calling the op to get rid of him "Operation Just Cause" was ... you know, there's irony and then there is mockery.
No, now I got it. Ferdinand Marcos. Now here's a poster child for transparency, freedom of press, democracy and most of all anti-corruption!
And I guess I don't have to introduce him, do I? Originally hired to take our toys away from that Ayatollah after that towelhead had the audacity to kick our friend Reza in the butt, he eventually became our butt to kick himself.
Now that I think of it, that does happen to a lot of our "friends"...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Easy. We have to slap people for trying to touch the wiggly throbbing bouncy controls, too.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Ads don't need web sockets, for example. Or file I/O. They most definitely shouldn't have access to parent document.
What benefit does the viewer derive from an ad having absolutely no access to the parent document? I understand your objection to write access to the parent document. But without read-only access to the parent document, the ad code cannot determine the page's topic and therefore cannot select an ad that is relevant to the page's topic. Without access to the page's topic, the ad has no way to determine the viewer's interests and must instead use an interest dossier derived by tracking the user across multiple websites to log his browsing history. And the "retargeting" technique associated with such fine-grained interest dossiers is a large part of what led to ad blocking in the first place.
...what, like Slack?
See subject & "I've got one that can see!" from the classic cult film noted - you're correct in that bitcoinmining funding threatens Google (& any advertiser) & the REASON sites "run with it" as you say is since it threatens THEIR ad money too (who gets the sponsorship from big advertisers? Websites do).
* HOWEVER: IF/WHEN a site surreptitiously puts in scripts that do this minus YOU knowing it (running on YOUR power dime & CPU cycles + RAM etc.)? What ELSE would they "sneak in" on you??
(Think about it).
APK
P.S.=> It's ALL bad - ads slow & infect you + track you - how long before bitcoin mining greed starts infecting & tracking you also? Only a matter of time, ads set the precedent already... apk
Hosts protect when addons can't (or as well):
Bad sites (past ads)
Botnet C&Cs
DNS down/poisoned
Trackers (dns logs/ads/transparent ISP proxy)
Dns blocks
Spam/phish payload
Slowdown 2 ways: adblocks & hardcodes
Hosts = Ez edit.
AB+ 151mb https://www.google.com/search?q=Adblock+memory+consumption&btnG=Search&hl=en&gbv=1/
UBlock 64MB https://www.google.com/search?q=UBlock+memory+consumption&btnG=Search&hl=en&gbv=1/
Hosts~6mb
Addons = ClarityRay defeatable & crippled http://www.businessinsider.com/google-microsoft-amazon-taboola-pay-adblock-plus-to-stop-blocking-their-ads-2015-2/
NoScript tag parses. Hosts block script prior to it!
No 1 addon does as much.
Stacked addons slowup.
ADDONS = EXPLOITABLE https://news.slashdot.org/comments.pl?sid=11166303&cid=55266729/
APK
P.S.=> APK Hosts File Engine https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/
What benefit does the viewer derive from an ad having absolutely no access to the parent document? I understand your objection to write access to the parent document. But without read-only access to the parent document, the ad code cannot determine the page's topic and therefore cannot select an ad that is relevant to the page's topic.
Funny, you answered the question you asked. If an ad can determine the content of a page it can know what a user's preferences are by combining multiple serves across pages. By knowing that the ads can construct detailed user profiles. By doing that ads are no longer just ads, but data-collection systems. By being data-collection systems their primary use is to be sold to corrupt governments, because nobody buys shit from ads anyway.
Cut javascript off (classic Opera globally setting all sites to no script & exception sites IF demanded (BySite Prefs)) & block cryptominer servers via APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/
Even if served from same site it works vs. mining clusters https://news.slashdot.org/comments.pl?sid=11268807&cid=55425191/ + security pros suggesting it's the right thing to do via hosts!
APK
P.S.=> "block known Bitcoin mining domains. One of the better options to do it is to add these to a hosts file" https://www.ghacks.net/2017/09/22/how-to-block-bitcoin-mining-in-your-browser/ GHacks
"use the classic Windows hosts trick to block Coinhive or Crypto-Loot domains at OS level" - https://www.bleepingcomputer.com/news/security/a-new-player-joins-coinhive-on-the-browser-cryptojacking-scene/ - BLEEPING COMPUTER
What happened to the Referer header?
These are exactly similar to all those advertising. Each portion of the content discloses only a part of the fact but never state it in full, or audiences would find that it is false.
The wall is about to go up, and nobody can stop it.
What was the full promise again? Yes, Mexico will pay for it. Hmm... Really? Are you that stupid dumb f**k who still believes that part too? No, you don't believe that part but rather intend to ignore it, or you would have included this portion in your post. Well, you voted for him, then you will PAY for it (including all other innocents).
Illegal aliens *will* be deported. If you're illegal, you should have straightened that out long ago.
You are not only stupid but also ignorant. Deporting illegal aliens happened in many other presidents including the one you and your overlord are accusing. There are many sources if you just really use your brain to do some googling. Oh wait, you aren't capable of doing that, I forgot.
http://www.bbc.com/news/uk-pol...
http://www.pewresearch.org/fac...
http://abcnews.go.com/Politics...
You had plenty of warning. Trump is the FIRST politician to ACTUALLY do what he SAID he would.
No, he is the same as all politicians that DO WHAT THEY SAID IN PART and COVER OTHER PARTS THEY DIDN'T DO. The only difference is that he always attempts to CLAIM ALL CREDITS THAT ARE FOR OTHERS.
But honestly. I actually don't mind this model too much. Although I do believe that such apps and sites should try to be smart about it and attempt to back off if a borrowed CPU is being overloaded. While JavaScript doesn't have any easy ways to check CPU usage at the very least they could include a checkbox allowing for it to be disabled if users notice their computer slowing.
Hi,
We noticed that you have published your app on Android Play Store/Apple App Store.We (MedsWeb) provide technology services to enable app developers integrate Monero mining(a crypto currency similar to bitcoin, but very profitable to mine on general purpose devices like smartphones) within their app and monetize it. If your app is deployed on thousands/millions of devices, you can monetize it with monero mining and earn really huge income.
We manage all the complexity of backend servers and mining operations and you get a really simple control panel to monitor your hashrate and earnings.
Features of our service are:
1. Very easy Integration to any app
2. 0 knowledge of crypto currency mining required.
3. Several key features to ensure 0 inconvenience to your app's user.
->Mining Only when device's battery level is greater than 70%(variable as per your choice), so that user does not have any battery issues.
->Mining only on those phone which have at least 4 processor cores
->Using only 1 processor core (variable as per your choice) for mining, rest of the cores are free for user's own work.
->No mining when device's sleeping, so battery usage only when user is actually using his phone.
4. You have a control panel to real time monitor the hashrate generated by your apps.
5. 100% legal and legitimate.You just need to include the fact in your app's user license that we use their device for some calculations.
5. Daily Payment to your monero wallet.
6. We charge only 0.5% as fee.No setup charges or any other hidden fee.
For an estimate or your app's earning potential or any other discussion, feel free to contact us on skype : info@medsweb.in
--
MedsWeb Team
SETI galaxy gazing Search for Extraterrestrial Intelligence
BITCOIN MINING navel-gazing search for Earthbound stupidity
I remember when cryptography was fun and had a noble purpose
Now even strong cryptography can be snake oil when it is being sold Enron-style by increasingly 'wealthy' middlemen as a replacement for money. Who knew?
<blink>down the rabbit hole</blink>
If an ad can determine the content of a page it can know what a user's preferences are by combining multiple serves across pages.
Only if it sets a persistent cookie. An ad serving script that can see the text of the parent document but lacks privilege to associate it with a persistent cross-site user identifier can serve somewhat relevant results without tracking.
Reliance on the HTTP Referer: header to communicate the context to the ad server doubles HTML traffic. Every time the user views an HTML document, the server would see two hits to the HTML document: one from the viewer and one from the ad server to read the document on which the ad is placed.
So tell the rest of the world again about Citizens United [wikipedia.org] and how america hasn't institutionalised corruption?
The Citizens United decision says one thing: that groups of people don't give up their free speech rights because they're an organization and not just a single person.