A Surge of Sites and Apps Are Exhausting Your CPU To Mine Cryptocurrency

Dan Goodin, writing for ArsTechnica: The Internet is awash with covert crypto currency miners that bog down computers and even smartphones with computationally intensive math problems called by hacked or ethically questionable sites. The latest examples came on Monday with the revelation from antivirus provider Trend Micro that at least two Android apps with as many as 50,000 downloads from Google Play were recently caught putting crypto miners inside a hidden browser window. The miners caused phones running the apps to run JavaScript hosted on Coinhive.com, a site that harnesses the CPUs of millions of PCs to mine the Monero crypto currency. In turn, Coinhive gives participating sites a tiny cut of the relatively small proceeds. Google has since removed the apps, which were known as Recitiamo Santo Rosario Free and SafetyNet Wireless App. Last week, researchers from security firm Sucuri warned that at least 500 websites running the WordPress content management system alone had been hacked to run the Coinhive mining scripts. Sucuri said other Web platforms -- including Magento, Joomla, and Drupal -- are also being hacked in large numbers to run the Coinhive programming interface.

my Crypto Purloined Unit

[turkeydance]

is so tired.

Re:my Crypto Purloined Unit

[Dutch+Gun]

This is just indicative of the much larger issue of how incredibly dangerous it is to allow servers to inject and run arbitrary code from third parties on your client machines. Third party ad-networks already do this, and if they're benign, they'll only TRACK you. If they're not, they'll do this, or try to hack your machine, or just about anything else they want to with all the power Javascript gives them - crypto-currency mining included.

Re:Worse than TREASON!

After the amount of times the CIA did similar meddling in foreign governments, your country has no fucking right to complain.

Again?

[110010001000]

Slashdot keeps mentioning this. Are you considering adding this to the website? That would be cool!

Re:Again?

[thegarbz]

And in an effort to speed up their computers the browser windows were closed. Companies across the globe reported a large increase in productivity in their workforce.

There is some good in this.

[ffkom]

This might remind people how weird it is that they run software automatically downloaded from arbitrary foreign sources all the time on their personal computer.

If people still knew how to write HTML, almost no web site would need to use any "JavaScript" or other "active content", with all the security issues this implies.

Re:There is some good in this.

[drinkypoo]

Even here on Slashdot, not a week goes by that one of the Story URLs just displays a blank page or perhaps a Javascript warning (or simply a fragment of the mangled page content) because you absolutely, positively cannot view the page without it. This in turn is at best a sign of someone who is really crap at web design, mostly that they (or the editor they're using) don't comprehend CSS even slightly — but at least equally likely that they want to spy on you, use your computer to mine coins, or carry out some other nefarious scheme like using you to mount a DDoS. Usually, I can find a superior story link which will load without Javascript in a matter of seconds. When even Slashdot doesn't care, what hope do you have for the general populace?

Re:There is some good in this.

[thegarbz]

If people still knew how to write HTML, almost no web site would need to use any "JavaScript" or other "active content", with all the security issues this implies.

Did you just join us from 1996? Do you even know how the modern internet works?

Does this work?

[Jeremi]

How many cell phones would you need to commandeer, and for how long, in order to successfully mine a Bitcoin using JavaScript?

It seems like trying to boil the ocean by stealing cigarette lighters...

Re:Does this work?

[ffkom]

If stealing cigarette lighters could be automated, such that your effort to steal 500 millions of them is not higher than stealing 1, I would bet that some thieves would try this, if only for their personal entertainment.

Re:Does this work?

How many cell phones would you need to commandeer, and for how long, in order to successfully mine a Bitcoin using JavaScript?

Probably quite a few, which is the advantage of something like that. Pretty much the same as spam, on an individual basis it's probably not very lucrative or effective. But by the time you are getting a 1-2% rate on a vast number of things, it balances out.

I'm utterly unsurprised people are harvesting CPU via javascript. And I'm utterly laughing because I whitelist javascript and sure as fuck don't allow arbitrary sites to run shit like that ... because I assume the average site is ran by greedy assholes.

Ads, malware, analytics ... it's all the same to me. Block the shit out of it no matter what it is. Because someone either wants to monetize your information, or, apparently, the act of browsing to their site to offer up your CPU to them.

As structured, the web has an idiotic security model, where you are expected to trust every site you visit to essentially run arbitrary code, set cookies, and access god knows what.

This shit was inevitable, and pretty much reinforces my belief that trusting random websites is idiotic. But people keep doing it, because they can't live without cat videos and poop emojis.

This is the internet we deserve.

Re:Does this work?

[Opportunist]

Millions, billions, does it matter?

Same problem as with spam. One in a million clicks on the shit, but since the price to send is zero, if that millionth's idiot hands you 10 bucks, it's getting 10 bucks with zero effort.

Eye Candy Sells [Re:There is some good in this.]

[Tablizer]

If people still knew how to write HTML, almost no web site would need to use any "JavaScript" or other "active content", with all the security issues this implies.

I doubt enough browsers support the fancy animations that PHB's love so much: wiggly throbbing bouncy controls. They want the UI to behave like the breasts they get slapped for trying to touch.

Eye-candy sells and the silly humans fall for it. Proverbial books continue to get judged by their covers. Good luck fixing human nature.

Not all web apps work with just HTML and CSS

[tepples]

If people still knew how to write HTML, almost no web site would need to use any "JavaScript" or other "active content"

How would, say, a web-based front-end to an IRC server work without script? It needs to know when messages have arrived in order to display them. The same is true of a multi-user whiteboard, which needs to know when another user has drawn a stroke. In addition, server-side image map doesn't support drag input, only click input.

Or should those instead be native executables that a user can download, install, and use? If so, then because native executables are generally specific to one operating system, Murphy's law holds that such an application will inevitably be designed for an operating system other than the one your device regularly runs. And it's still "software [manually] downloaded from arbitrary foreign sources".

Or should real-time interactive applications instead be written for the Java Virtual Machine or the .NET Common Language Runtime? Even though one such executable can run on multiple desktop operating systems, it still generally excludes iOS and Android, and it's stlil "software [manually] downloaded from arbitrary foreign sources".

Re:Not all web apps work with just HTML and CSS

[ffkom]

If people still knew how to write HTML, almost no web site would need to use any "JavaScript" or other "active content"

How would, say, a web-based front-end to an IRC server work without script?

There are plenty of native IRC clients available for basically every operating system. They waste less resources, and you can get them from sources that are probably much more trustworthy than some arbitrary web page.

For example, if you need an IRC client for Android, you can get various, including source code, cryptographically signed by the repository maintainers, from https://f-droid.org/packages/#... for free.

Re:Not all web apps work with just HTML and CSS

[tepples]

There are plenty of native IRC clients available for basically every operating system.

For one thing, you generally need to be an administrator to install such a program, and if you're borrowing the use of a friend's or library's computer, you're likely to lack permission to permanently install software. In addition, the web-based IRC clones (such as Skype, Slack, and Discord) tend to integrate retrieval of older messages, images, attachments, and other things that the IRC protocol itself does not standardize.

And which multi-user whiteboard protocol do the native multi-user whiteboard clients use?

Re:Not all web apps work with just HTML and CSS

[Dutch+Gun]

What you're describing are fully featured web-hosted apps. Obviously, such things would need scripting to work.

But why should I deign to allow a 3rd party ad to execute arbitrary script from an undisclosed and potentially malicious actor to run on my client machine, all without any oversight by the website I visit or permission from me?

Surely there's a more intelligent middle-ground, rather than the free-for-all permissive model that simply hopes no one finds their way out of the sandbox, or figures out how to abuse your system from within the sandbox (like crypto-currency mining, for example).

Re:Not all web apps work with just HTML and CSS

[tepples]

What you're describing are fully featured web-hosted apps.

Many users of tech forums like Slashdot and SoylentNews have concluded that "fully featured web-hosted apps" ought never to have existed in the first place.

Re: Not all web apps work with just HTML and CSS

[Ash-Fox]

Use frames and meta refresh, done.

Re: Not all web apps work with just HTML and CSS

[tepples]

The same is true of a multi-user whiteboard, which needs to know when another user has drawn a stroke. In addition, server-side image map doesn't support drag input, only click input.

Use frames and meta refresh, done.

That has three drawbacks:

• Sending the entire image every time using "frames and meta refresh" is wasteful of bandwidth, particularly over satellite or cellular which tends to be fairly strictly metered.
• Sending causes the screen to become blank for a moment between when the new document's HTML loads and when the current revision of the whiteboard image loads.
• I don't see how combining image maps with meta refresh is going to let the user drag over an image to add a stroke to a multi-user whiteboard. The server-side image map submits only on a click, not on a drag. If no client-side script is active, the browser instead treats a drag as an attempt to copy the link to the computer's local file system as a URL file or the image as a JPEG or PNG file.

Re: Not all web apps work with just HTML and CSS

[Ash-Fox]

Sending the entire image every time using "frames and meta refresh" is wasteful of bandwidth, particularly over satellite or cellular which tends to be fairly strictly metered.

Sending causes the screen to become blank for a moment between when the new document's HTML loads and when the current revision of the whiteboard image loads.

I was only thinking of using the meta refresh for the userlist. I thought it was obvious the chat frame would not terminate the HTTP connection (and include a meta refresh in case it was terminated), just keep spending data as new messages come in.

I don't see how combining image maps with meta refresh is going to let the user drag over an image to add a stroke to a multi-user whiteboard.

Use the old slicing method before maps existed.

Re:Not all web apps work with just HTML and CSS

[DarkOx]

This was done with cgi and meta tags with http-equiv="refresh" for years before browsers reliably supported JavaScript.

I grant you not as a efficient, but people did it and it worked. Arguably it was much safer.

Re:Not all web apps work with just HTML and CSS

[drinkypoo]

If people still knew how to write HTML, almost no web site would need to use any "JavaScript" or other "active content", with all the security issues this implies.

How would, say, a web-based front-end to an IRC server work without script?

OMG PLS STAHP

You are constantly (deliberately?) misinterpreting people's comments so that you can make some inane objection. "Almost no web site" is "a web-based front-end to an IRC server". Also, if you don't expect it to be a very good client, you can do it just with refreshes. Implement scrollback as a separate page from the display, put the display in an iframe and refresh it frequently. Done. So it's a terrible question anyway, and it wasn't worth asking ever.

The basic objection here is that you should not need to run someone else's code on your computer just to view some static content. I personally don't mind enabling scripts for a site that actually does some kind of whiz-bang interactive thing that I want to experience. I know what I'm getting into. What bothers me is when I load a Slashdot story link and there's nothing there, because the site owner wants to spy on me or use my computer to mine coins or use it to participate in a DDoS and I just want to read a block of text. I'll go read some other block of text.

Re: Not all web apps work with just HTML and CSS

[tepples]

I thought it was obvious the chat frame would not terminate the HTTP connection (and include a meta refresh in case it was terminated), just keep spending data as new messages come in.

I wasn't aware that progressively loading an HTML document stlil worked. My experiments with trying to push chunked transfer encoding out of PHP, sending a flush() after each message, caused messages to appear to arrive at the browser in chunks of about a dozen messages at a time. It appeared as if some layer in the middle were heavily applying Nagle's algorithm, and I couldn't tell at the time whether it was HTTP compression, HTTPS encryption, or something else layered on top of it. And CDNs don't make it any simpler, as many of them try to retrieve the complete document from the origin server before passing it on to the viewer.

I don't see how combining image maps with meta refresh is going to let the user drag over an image to add a stroke to a multi-user whiteboard.

Use the old slicing method before maps existed.

The coordinates included in a stroke start at mousedown, continue through all the turns of the mouse that the user made while inputting the stroke, and ends at mouse up. How would "the old slicing method" cause these coordinates to be sent to the server? What <input type="..."> or other element is used? And in what format are they sent?

Re:Not all web apps work with just HTML and CSS

[tepples]

What's the "new tool" for running a single application on Windows, macOS, GNU/Linux, iOS, and Android?

Re:Not all web apps work with just HTML and CSS

[tepples]

This was done with cgi and meta tags with http-equiv="refresh" for years before browsers reliably supported JavaScript.

Text chat was. A whiteboard wasn't.

Re:Not all web apps work with just HTML and CSS

[tepples]

"Almost no web site" is "a web-based front-end to an IRC server".

It may be "almost no web site" when counted as unique domains, but IRC clones such as Slack and Discord rack up the user hours a lot more quickly than the in-and-out visits to mostly textual sites that don't need script.

Also, if you don't expect it to be a very good client, you can do it just with refreshes. Implement scrollback as a separate page from the display, put the display in an iframe and refresh it frequently. Done.

This works for IRC, not a whiteboard.

The basic objection here is that you should not need to run someone else's code on your computer just to view some static content.

I understand that. My counter-objection is that a lot of popular content isn't static.

I personally don't mind enabling scripts for a site that actually does some kind of whiz-bang interactive thing that I want to experience. I know what I'm getting into.

I make this objection to people in order to know whether, when faced with an interactive web application, a particular user prefers to enable script (like you) or to do without (like Opportunist, apparently). If the user is willing to enable script, my next step is usually to ask what a site needs to do in order to prove itself trustworthy. If the user is unwilling to enable script, my next step is usually to ask what non-web platform is preferable for an interactive application. If there's a more efficient way to choose the appropriate follow-up question for a particular user's attitude toward interactive web applications, I'd appreciate knowing about it.

Re:Not all web apps work with just HTML and CSS

[Opportunist]

Show me ONE browser application that works well without any kind of readjustments on those systems and where adjusting it is less work than do a batch-compile for all of them.

Re: Not all web apps work with just HTML and CSS

[Ash-Fox]

You make me feel dirty thinking about all the tricks and things I used to use. My initial post was more, "yeah, you can do it if you really want to".

I wasn't aware that progressively loading an HTML document stlil worked.

It does, my old chat stuff (built before web 2.0 is still functioning proper).

My experiments with trying to push chunked transfer encoding out of PHP, sending a flush() after each message, caused messages to appear to arrive at the browser in chunks of about a dozen messages at a time.

I couldn't tell you about what happens with PHP, I originally wrote a custom webserver from scratch into my IRC daemon and then used a forwarding proxy to forward communications to it.

The coordinates included in a stroke start at mousedown, continue through all the turns of the mouse that the user made while inputting the stroke, and ends at mouse up. How would "the old slicing method" cause these coordinates to be sent to the server?

The trick being that everything is sliced into tiny pieces. You click it what you want to move, then click the destination.

I'm feeling very web 1.0 now.

Re:Not all web apps work with just HTML and CSS

[NearO]

In my days we did this with a frameset. The big upper frame hat a meta refreshing chat buffer or nph. At the bottom was a second frame with the input bar. To the right you had a third frame, also meta refreshing, with the user list. Easy as pie. Just a bit laggy, but if you don't like it, use a proper IRC client.

That aside, this is disingenuous. This kind of active application is not "most websites". Try browsing the web JS disabled. Loads of websites look completely broken for no good reason. They shouldn't need drag and drop or content push or whatever just to display some pictures, a logo and a bit of text. Adding JS requirements to that kind of site only makes the world a worse place.

It would be nice if we could go back to the days of graceful degradation, so I can keep JS permanently turned off for most sites.

Re:Not all web apps work with just HTML and CSS

[tepples]

Other replies to my comment describe how a web interface to text chat worked prior to AJAX. But how would that work with a whiteboard? As far as I can tell, someone without script can view a snapshot of a whiteboard every minute but can't add marks larger than a dot because an image map submits only on click, not on drag.

Re:Not all web apps work with just HTML and CSS

[tepples]

Publishing a native application for iOS requires a valid paid membership in the Apple Developer Program. Publishing a web application does not require a recurring payment to Apple. In fact, remote testing services allow some level of testing in Safari to be performed even without having to own a Mac, iPod touch, iPhone, or iPad.

Re:Not all web apps work with just HTML and CSS

[NearO]

As I said, obviously not everything is possible without JS, but that is not the point. The point is that JS is used without good reason on the majority of websites requiring it.

That aside, you could draw lines and other shapes. It's not big deal, just really clumsy. The first click marks one corner of the shape to draw and puts a marker on the image, the second click sets the other corner and draws the shape. You can draw lines, boxes, whatever. You just won't see your shape until the second click.

Re:Not all web apps work with just HTML and CSS

[Desty]

There are plenty of native IRC clients available for basically every operating system. They waste less resources, and you can get them from sources that are probably much more trustworthy than some arbitrary web page.

Yes, and they also require the user to trust that the arbitrary code in their shiny native IRC client will be less harmful than the arbitrary *sandboxed* code, running in their web browser, with the ability to block known ad sites or restrict certain types of operation (like accessing the webcam or microphone, etc).

The current model of running native programs is indeed more powerful, but far, far less safe than running stuff in your browser's controller JavaScript sandbox. That's not to say that a superior alternative to both could exist -- maybe we could start integrating Docker (or similar LXC-type system) into the process of installing, running and deleting native-but-not-totally-trusted apps.

Re:Erin Burnett Cover Your TITS!

[boudie2]

I think it do.

cpu-profiling of browser tabs

[mugurel]

Whether crypto-mining or not, some pages seem to use a disproportionate share of cpu time for the content they're delivering. Some form of cpu usage indicator per tab would be helpful, similar in vein to the speaker icon on tabs that produce sound.

Re:cpu-profiling of browser tabs

[swb]

Even better would be adjustable settings for maximum individual CPU by a tab and maximum CPU allowable to all background tabs total, and some way to whitelist tabs so that sites I want to run full tilt in the background can. Somebody can write a plug in for more granular control if you want to go full Asperger's on the settings.

I hate to say it, but it really is going to take Google just deciding to ration background tab CPU. Once they do that it will force web sites to either suck it up and not get real-time updates about the web page I'm not looking at or un-bloat their code.

Re:cpu-profiling of browser tabs

[Trax3001BBS]

Even better would be adjustable settings for maximum individual CPU by a tab and maximum CPU allowable to all background tabs total, and some way to whitelist tabs so that sites I want to run full tilt in the background can. Somebody can write a plug in for more granular control if you want to go full Asperger's on the settings.

My fans do this for me and I've notice a few websites that the fans start ramping up when visited. I then monitor the temps.

Re:cpu-profiling of browser tabs

[DNS-and-BIND]

No icon, just shade it a different color when it starts using the CPU intensively.

Re:cpu-profiling of browser tabs

[Waccoon]

Fat chance. Remember how all the browsers riled against the status bar, saying people didn't need it?

Re:cpu-profiling of browser tabs

[doconnor]

Chrome reduces CPU usage of background tabs to 1% after 10 seconds..

My CPU doesn't really get tired

[rsilvergun]

and it's an i5-7500. Not only does it have plenty of headroom on processing but even if I'm running Burn in Test it doesn't get above 40 celcius on a CPU that could comfortably hit 70 for the next 20 years. The electricity cost is negligible too.

I can't even get that worked up about this stuff on my cell phone. I don't generally browse on it for hours on end. Maybe if I used a tablet I'd care, but as it stands this is kind of a non-issue. What surprises me is the amount of white hot rage over it going around the net. I think it makes people feel like marks that they're not getting their cut, nevermind that they got their cut when they consumed the content on the site (assuming they weren't tricked, but then we're talking mal-ware, which is a whole 'nother discussion).

Strange times

[duke_cheetah2003]

We live in some strange times, where thieves are trying to steal CPU cycles from our devices. Just wow, who would've ever thought this would ever be a thing?

On another note, I think I might have stumbled across a site doing this and it's pretty annoying, browser goes very slow.

Re:Strange times

[Darinbob]

If this was a "real" currency, the mining would not be so effective. As more bitcoins were mined, the price of each would be proportionately reduced or there would be a corresponding inflation in prices. This is how things work when new gold is mined or new currency is loosed on the market (feds print more).

Mining more will hurt the price to those who already have bitcoin. Since most of those users are in the darker side of the economy, with ties to criminal networks, this presents a solution to the problem. Just have the mafia and drug lords hunt down these miners.

Re:Strange times

[duke_cheetah2003]

Mining more will hurt the price to those who already have bitcoin. Since most of those users are in the darker side of the economy, with ties to criminal networks, this presents a solution to the problem. Just have the mafia and drug lords hunt down these miners.

While I definitely agree with you on this point, I don't believe Bitcoin itself is involved in this scheme. This scheme really wouldn't work too great for Bitcoin at this point, anyway. That ship sailed long ago, there's not a lot of Bitcoin left to 'mine.' To even have a chance of acquiring one of those remaining ones, I'm afraid even the power of millions of idle smartphones isn't going to help. You need a datacenter at this point. The mining-browser-hijack TFA referred to was Monero I believe.

But what a pointless waste of effort, yeah. Definitely going to dilute that particular crypto-currency. Wouldn't it be cool if someone doing this sort of nefarious thing did it for a good cause, like folding@home or some other community distributed computing project other that silly crypto-currencies?

Re:Strange times

[TeknoHog]

The idea is not really that new. CPU time has been worth money long before cryptocurrencies. I recall around the turn of the century, as projects like Seti@Home came up, there were also projects that would pay you for the CPU time. So the idea of stealing that commodity wasn't that far fetched, see Parasitic computing for example. (Incidentally, I was just reading a book on networks/graphs by Barabasi, where this topic is also discussed.)

We're always right.

[i286NiNJA]

No you should complain about it and take efforts to stop us. Just as we certainly should punish Russia
I'm sure that Putin would agree might makes right and we're by far the mightiest.

What you really need to do

[CanadianMacFan]

Does anyone remember the person that deleted the small JavaScript file and brought down so many big sites because they were loading it from his site instead of having a copy on their own site? I think it was to justify text. It was only a couple of lines.

You need to find a function that is popular like that and is loaded from a central server. Once you have identified one then find a way to change it so that it gets the browsers to mine cryptocurrency. Probably don't want it to spike the CPU usage as it would give it away.

Re:What you really need to do

> Does anyone remember the person that deleted the small JavaScript file and brought down so many big sites because they were loading it from his site instead of having a copy on their own site? I think it was to justify text. It was only a couple of lines.

You're recalling the npm package called left-pad (alternate write-up here). The author was Azer Koçulu (Slashdot might botch his Turkish surname, apologies for that).

Re:What you really need to do

[schleimkeim]

Javascript is such a shitshow. How that crap language ever got used for more than aler() is beyond me.

Re:What you really need to do

[Rakarra]

It's really simple. The alternative was to write Java applets, which ground your computer to a half for 10-20 seconds while the runtime booted up.

The typical grumpy Slashdotter response was to insist high and low that Java wasn't slow.

I think the typical grumpy Slashdotter response was to insist that no one actually needed to do the shit that the stupid javascript app or Java applet was trying to do.

There was another alternative too: ActiveX. Oof.

Air conditioning

[tepples]

The electricity cost is negligible too.

The price of electric power depends on where you live. And in a lot of places, people have to pay twice for electric power: once to run the computer and once to run the air conditioner that moves the heat generated by the computer to the outside.

nevermind that [viewers] got their cut when they consumed the content on the site

Why do people keep referring to viewing works created by others as "consuming" them? A work isn't "consumed", or used up, in the act of viewing it.

Re:Air conditioning

[Afty0r]

> Why do people keep referring to viewing works created by others as "consuming" them? A work isn't "consumed", or used up, in the act of viewing it

Probably because we speak English, and that's the colloquial and accepted term for using content.

Language evolves, if you insist on living in the past, you only make yourself look stupid, not others.

Re:Air conditioning

[tepples]

Probably because we speak English, and ["consuming" is] the colloquial and accepted term for using content.

Before this "consuming" fad, the word was "viewing". What's wrong with "viewing"?

Re:Exhausting?

[tepples]

If a CPU can't be "exhausted", then why does a desktop PC have an "exhaust" fan?

Nor is the CPU the only component of a computer system that can be exhausted. A laptop, tablet, or smartphone has a battery that is discharged more quickly when Coinhive is running.

Why is this any different?

With all the garbage that most sites want to run on our CPU's to serve ads and do all sorts of tracking why is crypto currency mining any different? Every sinle page that you hit on the internet has TONS and TONS of javascript crap that wants to run. All of this nonsense wastes our CPU power for the benefit of the site we are using. Is it just the direct revenue that we are offended by all of a sudden? Tracking code profits them directly. Offloading tasks onto your machine that should be done on their web server profits them directly by allowing them to run a smaller footprint of less powerful servers.

If you want to stop this nonsense install a javascript blocker. Noscript and adblock plus are great add ons that will improve your browser experience. For those sites that have ad block blockers? Fuck them. I hit the back button and never go to those sites. There's millions of alternative sites out there to get the same information who's not going to be tacky about a user putting their foot down to what's run on their system.

Web designers really need to think about all the javascript garbage that they are packing their pages with and how their users are just going to start blocking them. I browse the web on a 5ghz i7700k with 64gb ram. I still don't want this bullshit slowing down my experience or wasting my electricity running tasks for the benefit of a for profit business.

I'm actually glad people are finally using this for more nefarious purposes. It's going to get us visibility into an issue with the web today. This is an out of control wild west practice that needs to be curbed. If more users start using noscript designers will need to think twice before packing their pages full of crap.

BTW for you web designer assholes. I'm GLAD that blocking all your garbage causes you issues. I'm glad it costs you directly in your ad revenue and I'm glad that your web statistics are not accurate. Fuck you people and your abusive use of my computing resources.

Re:Worse than TREASON!

I would rather that you got your fucking nose out of my business. Please tell me how US interference is somehow better than Russian interference in my own private life? Thanks.

Re:Exhausting?

[freeze128]

I once saw an error from a program that was written in German. The error said that the RAM was exhausted. I think it simply meant "Out of Memory".

Re:Worse than TREASON!

Russian interference makes your entire government dependent on corruption which flows through Moscow. Government repression is encouraged.

So tell the rest of the world again about Citizens United and how america hasn't institutionalised corruption? Legalising bribery doesn't mean it isn't morally reprehensible.

Russia may be a sack of shitheels but at least they don't pretend their bullshit is on the level.

Gecko engine web browsers' top...

[antdude]

Type "about:performance" in any recent Gecko web browsers (e.g., SeaMonkey and Firefox)'s URL form to show for a top type view. I would also like to see a tab version like its audio.

Re:Gecko engine web browsers' top...

[sootman]

lol. I went there and on the second or third poll it said "about:performance may currently be slowing down Firefox." :-/

Re:Gecko engine web browsers' top...

[antdude]

Yeah, I had those before. You must had a lot of stuff running at that time. Even uBlock Origin extension too! LinkedIn and other web sites are horrible! :(

Re:Gecko engine web browsers' top...

[antdude]

Yeah, it's limited but better than nothing. You could also use about:memory for memory stuff.

Re:Query string in fragment identifier needs JS

[Pikoro]

Not even remotely true so the parent post is spot on. That's a standard HTML tag called an anchor and can be linked directly to without any kind of scripting required.

Re:Worse than TREASON!

[schleimkeim]

US interference advocates for democracy, transparency, anti-corruption, and a free press.

You really do believe that, don't you? I'm out of words here...

Re:Exhausting?

[drinkypoo]

I once saw an error from a program that was written in German. The error said that the RAM was exhausted. I think it simply meant "Out of Memory".

Unlike the suggestion that attaching an air duct and exhaust fan to something is a valid use of the word "exhausted", that actually is an example of resource exhaustion.

Re:Worse than TREASON!

[Opportunist]

US interference advocates for democracy, transparency, anti-corruption, and a free press. This is good for you, and for your country.

Is that so? Well, let's see what US interference got some countries.

There is for example Augusto Pinochet, the veritable epitome of freedom and democracy. That the CIA installed him after eliminating Salvador Allende, the democratically elected president of the country, shouldn't faze you. That Allende must have been some kind of Commie for sure.

Or how about Shah Reza Pahlevi, who was installed after some idiot dared to nationalize the oil fields in Persia. Old Reza put our oil back into our hands ("our" being us westeners, of course) and in return we gave him the fourth largest army on the planet. He was a bit of a despot, though, but that's secondary.

Maybe Manuel Noriega? Yes, believe it or not, that once was our buddy. Before he tried to actually think for himself, then the US quickly removed him. But calling the op to get rid of him "Operation Just Cause" was ... you know, there's irony and then there is mockery.

No, now I got it. Ferdinand Marcos. Now here's a poster child for transparency, freedom of press, democracy and most of all anti-corruption!

And I guess I don't have to introduce him, do I? Originally hired to take our toys away from that Ayatollah after that towelhead had the audacity to kick our friend Reza in the butt, he eventually became our butt to kick himself.

Now that I think of it, that does happen to a lot of our "friends"...

Re:Eye Candy Sells [Re:There is some good in this.

[Opportunist]

Easy. We have to slap people for trying to touch the wiggly throbbing bouncy controls, too.

Re:Totally wrong, no privileges needed

[tepples]

Virtually all network clients can run unprivileged and so can be installed and run in the current directory, even by a guest.

Not if the PC is configured to use Software Restriction Policies/AppLocker, or if the PC's owner threatens to withdraw the guest's permission to use the PC if the PC's owner finds that the guest has downloaded and executed unapproved software.

Re:Query string in fragment identifier needs JS

[tepples]

You are correct that the fragment identifier has two purposes: one to be read by JavaScript and the other as the "anchor" that you mention. But an anchor needs to exactly match the value of an element's the id attribute. When I retrieved the URL https://f-droid.org/packages/, the HTML document in the response did not contain an element whose id attribute has a value q=IRC.

The alternative to parent doc access is tracking

[tepples]

Ads don't need web sockets, for example. Or file I/O. They most definitely shouldn't have access to parent document.

What benefit does the viewer derive from an ad having absolutely no access to the parent document? I understand your objection to write access to the parent document. But without read-only access to the parent document, the ad code cannot determine the page's topic and therefore cannot select an ad that is relevant to the page's topic. Without access to the page's topic, the ad has no way to determine the viewer's interests and must instead use an interest dossier derived by tracking the user across multiple websites to log his browsing history. And the "retargeting" technique associated with such fine-grained interest dossiers is a large part of what led to ad blocking in the first place.

Re:Totally wrong, no privileges needed

[tepples]

Virtually all network clients can run unprivileged and so can be installed and run in the current directory, even by a guest.

True of Windows, macOS, and GNU/Linux most of the time, but not of iOS, which has no "current directory" visible to the end user. The owner of an iOS device can configure App Store to require the owner's password before installing an app.

Re:The alternative to parent doc access is trackin

[pjt33]

But without read-only access to the parent document, the ad code cannot determine the page's topic and therefore cannot select an ad that is relevant to the page's topic.

What happened to the Referer header?

It's the cryptopocolypse

[Ebsolas]

But honestly. I actually don't mind this model too much. Although I do believe that such apps and sites should try to be smart about it and attempt to back off if a borrowed CPU is being overloaded. While JavaScript doesn't have any easy ways to check CPU usage at the very least they could include a checkbox allowing for it to be disabled if users notice their computer slowing.

Inverse SETI AT HOME!!

[TheRealHocusLocus]

SETI galaxy gazing Search for Extraterrestrial Intelligence
BITCOIN MINING navel-gazing search for Earthbound stupidity
I remember when cryptography was fun and had a noble purpose

Now even strong cryptography can be snake oil when it is being sold Enron-style by increasingly 'wealthy' middlemen as a replacement for money. Who knew?

Re:The alternative to parent doc access is trackin

[tepples]

If an ad can determine the content of a page it can know what a user's preferences are by combining multiple serves across pages.

Only if it sets a persistent cookie. An ad serving script that can see the text of the parent document but lacks privilege to associate it with a persistent cross-site user identifier can serve somewhat relevant results without tracking.

Re:Exhausting?

[tepples]

[RAM] actually is an example of resource exhaustion.

Battery energy is another example of a resource on a computer that can be exhausted (at least until the next recharge), correct?

Re:Exhausting?

[drinkypoo]

Battery energy is another example of a resource on a computer that can be exhausted (at least until the next recharge), correct?

Sure, any resource that can be used up and there's no more left (until further notice) can be exhausted. You could say that you've exhausted the free CPU cycles, though that would be the silliest and most cumbersome way to express that thought.

Doubles HTML traffic

[tepples]

Reliance on the HTTP Referer: header to communicate the context to the ad server doubles HTML traffic. Every time the user views an HTML document, the server would see two hits to the HTML document: one from the viewer and one from the ad server to read the document on which the ad is placed.

Re:Doubles HTML traffic

[pjt33]

Only if the people running the ad server are too incompetent to cache. Which they may be, but it's nice to dream...

Re:Doubles HTML traffic

[tepples]

It's still double in case of a cache miss.

Re:Worse than TREASON!

[Rakarra]

So tell the rest of the world again about Citizens United [wikipedia.org] and how america hasn't institutionalised corruption?

The Citizens United decision says one thing: that groups of people don't give up their free speech rights because they're an organization and not just a single person.

Re:Query string in fragment identifier needs JS

[Pikoro]

Then the page is wrong. Linking to an anchor that doesn't exist should put you at the top of the resulting page. Using JavaScript to "fix" something that isn't broken is stupid. JavaScript is NOT required in order to make that link work properly.

Also, the element id attribute doesn't have to be set at all for an anchor to work. You set the name attribute on an anchor tag to work as the target for a link. This is all HTML 101.

A <A NAME=serious>serious</A> crime is one which is associated
    with imprisonment.
...
    The Organization may refuse employment to anyone convicted
    of a <a href="#serious">serious</A> crime.

The above html will allow you to link directly to the #serious element. No js needed.