Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Wednesday September 27 2017, @10:43PM   Printer-friendly
from the follow-the-monero dept.

Showtime, a premium cable, satellite, and streaming television service owned by CBS, included JavaScript on two of its domains that used users' web browsers to mine the cryptocurrency Monero:

The websites of US telly giant CBS's Showtime contained JavaScript that secretly commandeered viewers' web browsers over the weekend to mine cryptocurrency.

The flagship Showtime.com and its instant-access ShowtimeAnytime.com sibling silently pulled in code that caused browsers to blow spare processor time calculating new Monero coins – a privacy-focused alternative to the ever-popular Bitcoin. The hidden software typically consumed as much as 60 per cent of CPU capacity on computers visiting the sites.

The scripts were written by Code Hive, a legit outfit that provides JavaScript to website owners: webmasters add the code to their pages so that they can earn slivers of cash from each visitor as an alternative to serving adverts to generate revenue. Over time, money mined by the Code-Hive-hosted scripts adds up and is transferred from Coin Hive to the site's administrators. One Monero coin, 1 XMR, is worth about $92 right now.

However, it's extremely unlikely that a large corporation like CBS would smuggle such a piece of mining code onto its dot-coms – especially since it charges subscribers to watch the hit TV shows online – suggesting someone hacked the websites' source code to insert the mining JavaScript and make a quick buck.

The JavaScript, which appeared on the sites at the start of the weekend and vanished by Monday, sits between HTML comment tags that appear to be an insert from web analytics biz New Relic. Again, it is unlikely that an analytics company would deliberately stash coin-mining scripts onto its customers' pages, so the code must have come from another source – or was injected by miscreants who had compromised Showtime's systems.

Also at PCMag.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Interesting) by edIII on Wednesday September 27 2017, @11:34PM (14 children)

    by edIII (791) on Wednesday September 27 2017, @11:34PM (#574093)

    Seriously. As long as the javascript was vetted, and it doesn't inject any more code from 3rd parties, it could be a viable payment method for Soylent. I got a big ol' honking CPU plus a Nvidia 1070 under the hood. I would not mind at all having a browser open on a different workspace in the background while I work. If I need the processing power I can always close the page.

    My issues with javascript are just security ones. I have no real problems with it otherwise, and I ran the Piwik code while Soylent was using it. I've bought a few subs, but at $97 per coin, if I can generate a coin per year, I would end up contributing more to Soylent.

    --
    Technically, lunchtime is at any moment. It's just a wave function.
    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 5, Insightful) by takyon on Wednesday September 27 2017, @11:39PM (7 children)

    by takyon (881) <reversethis-{gro ... s} {ta} {noykat}> on Wednesday September 27 2017, @11:39PM (#574095) Journal

    Wouldn't it be more efficient and ethical to have users run the mining code themselves and donate the currency to a Soylent wallet?

    --
    [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
    • (Score: 4, Funny) by Anonymous Coward on Wednesday September 27 2017, @11:43PM

      by Anonymous Coward on Wednesday September 27 2017, @11:43PM (#574099)

      SSShhh... that's the logical solution so of course that means it won't be considered at all what-so-ever.

    • (Score: 0) by Anonymous Coward on Thursday September 28 2017, @12:02AM (2 children)

      by Anonymous Coward on Thursday September 28 2017, @12:02AM (#574108)

      Especially since JavaScript miners are, as I understand it, completely unable to access the GPU resources. Although, that isn't much help as even GPU mining isn't really effective without a super powerful card, because of all the ASIC and FPGA miners out there.

      • (Score: 2) by JNCF on Thursday September 28 2017, @12:07AM

        by JNCF (4317) on Thursday September 28 2017, @12:07AM (#574110) Journal

        IIRC, the code I've seen used funky WebGL shaders I didn't grok to mine BTC through the GPU.

      • (Score: 2) by JNCF on Thursday September 28 2017, @12:12AM

        by JNCF (4317) on Thursday September 28 2017, @12:12AM (#574112) Journal

        Also, whether or not GPU mining is competitive depends on whether or not the coin using a given algorithm is valuable enough to warrant the production of special-purpose hardware. Some coins have no ASICs yet. Note that CBS/hackers-of-CBS used Monero, not Bitcoin (I don't know if there are ASICS targeting Monero yet, but I doubt it based on their choice).

    • (Score: 3, Informative) by edIII on Thursday September 28 2017, @01:44AM (2 children)

      by edIII (791) on Thursday September 28 2017, @01:44AM (#574165)

      Well.... perhaps, but that doesn't let me be a lazy bastard and just expect you to make it happen :)

      Now that I think about it, with as many devices that I have that could also operate a modern web browser, it might not be a bad idea to look into getting the JS code myself and hosting a server.

      --
      Technically, lunchtime is at any moment. It's just a wave function.
      • (Score: 2) by hemocyanin on Thursday September 28 2017, @02:45PM (1 child)

        by hemocyanin (186) on Thursday September 28 2017, @02:45PM (#574360) Journal

        Honestly, I'm not going to go out of my way to set up any mining software, make a transfer, blah blah blah. I just have too many things going on to add yet another thing to figure out, especially one I'm not that interested in (I've never participated in the crypto-currency scene).

        However, I very much like the idea you mentioned though, of just letting Soylent figure it out and handle the mining. I don't see any ethical issues at all provided it is an "opt-in" system. Running it in secret would be problematic because some people may need to save money on electricity, but to say to users "hey, you can help Soylent out by letting us run some mining software in the background while you're logged in, will you let us do it?" is 100% pure and ethical. It would also let people who can't or don't by subscriptions help out and if that makes them warm fuzzies, it's 110% ethical.

        • (Score: 2) by hemocyanin on Thursday September 28 2017, @02:47PM

          by hemocyanin (186) on Thursday September 28 2017, @02:47PM (#574362) Journal

          Change "_makes_ them warm fuzzies" to "_gives_ them warm fuzzies".

          I've even had coffee already dang it.

  • (Score: 2, Touché) by Anonymous Coward on Thursday September 28 2017, @12:42AM (3 children)

    by Anonymous Coward on Thursday September 28 2017, @12:42AM (#574121)

    You don't pay for your own power, do you?

    • (Score: 2) by JNCF on Thursday September 28 2017, @12:47AM (1 child)

      by JNCF (4317) on Thursday September 28 2017, @12:47AM (#574123) Journal

      He did say "while I work." I used to run SETI@home on a company computer overnight, but the company was aware.

      • (Score: 1, Funny) by Anonymous Coward on Thursday September 28 2017, @05:29PM

        by Anonymous Coward on Thursday September 28 2017, @05:29PM (#574453)

        My company did the same thing for awhile thanks to some perverse incentives. They paid a flat rate for a set number of kWh per day (4 A.M. to 4 A.M.) to get a break on rates, with overages being charged at insane rates. Well, they were in a use it or lose it situation, so the IT department would have the machines boot into Linux and run various SMART and other diagnostics, along with BOINC in a VM. The central manager would issue stop orders at 4 A.M. or when they got too close to the kWh limit, whichever came first and the machines would reboot in time for work the next day. Suffice to say, that arrangement only lasted the minimum amount of time before getting terminated by the managing company because by the end of it, most companies in the building started doing various things like that, which resulted in a drastic increase in power usage bills to the managing company.

    • (Score: 0) by Anonymous Coward on Thursday September 28 2017, @02:02PM

      by Anonymous Coward on Thursday September 28 2017, @02:02PM (#574341)

      Of course not. Mom does.

  • (Score: 2) by maxwell demon on Thursday September 28 2017, @04:41AM (1 child)

    by maxwell demon (1608) on Thursday September 28 2017, @04:41AM (#574215) Journal

    Seriously. As long as the javascript was vetted, and it doesn't inject any more code from 3rd parties, it could be a viable payment method for Soylent.

    You are aware that quite a few users of SN have JavaScript disabled? I actually have JS enabled for SN. But if SN started to eat my processor cycles, I'd reverse that decision. I don't want SN to eat my processor cycles whenever I visit it, especially when on battery. Or when at work, where it may steal cycles from work-related processing. And where Bitcoin mining on work computers is explicitly forbidden BTW.

    --
    The Tao of math: The numbers you can count are not the real numbers.
    • (Score: 4, Interesting) by edIII on Thursday September 28 2017, @08:43AM

      by edIII (791) on Thursday September 28 2017, @08:43AM (#574285)

      Dude, I wasn't talking about every single page. It could be a link to the side where you can voluntarily load the dedicated page with the mining script. I would browse articles and comments in other tabs without JS.

      Injecting code into every page would be overkill. Once per session is fine, and the dedicated page allows you to decide when you're contributing or not. Takyon had the right idea though, but it wouldn't be a bad idea to have a howto link in our profiles with the code ready for download and customization. Then I can run it from my own webserver, or just load it up locally.

      I wasn't suggesting work computers or servers. Although, I have enough authority to do so anyways. For that matter, any virtual instances are already paid for. It makes no difference whether you did a full processing load or not, you're still charged for it in that second. Power, CPU, GPU, all rolled into one rate per second. On those machines, it literally makes no sense to not take advantage of the processing cycles. Of course, these are on my own servers. For clients I would never install and run unauthorized code in the first place.

      --
      Technically, lunchtime is at any moment. It's just a wave function.