Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 12 submissions in the queue.
posted by Fnord666 on Wednesday September 27, @10:43PM   Printer-friendly
from the follow-the-monero dept.

Showtime, a premium cable, satellite, and streaming television service owned by CBS, included JavaScript on two of its domains that used users' web browsers to mine the cryptocurrency Monero:

The websites of US telly giant CBS's Showtime contained JavaScript that secretly commandeered viewers' web browsers over the weekend to mine cryptocurrency.

The flagship Showtime.com and its instant-access ShowtimeAnytime.com sibling silently pulled in code that caused browsers to blow spare processor time calculating new Monero coins – a privacy-focused alternative to the ever-popular Bitcoin. The hidden software typically consumed as much as 60 per cent of CPU capacity on computers visiting the sites.

The scripts were written by Code Hive, a legit outfit that provides JavaScript to website owners: webmasters add the code to their pages so that they can earn slivers of cash from each visitor as an alternative to serving adverts to generate revenue. Over time, money mined by the Code-Hive-hosted scripts adds up and is transferred from Coin Hive to the site's administrators. One Monero coin, 1 XMR, is worth about $92 right now.

However, it's extremely unlikely that a large corporation like CBS would smuggle such a piece of mining code onto its dot-coms – especially since it charges subscribers to watch the hit TV shows online – suggesting someone hacked the websites' source code to insert the mining JavaScript and make a quick buck.

The JavaScript, which appeared on the sites at the start of the weekend and vanished by Monday, sits between HTML comment tags that appear to be an insert from web analytics biz New Relic. Again, it is unlikely that an analytics company would deliberately stash coin-mining scripts onto its customers' pages, so the code must have come from another source – or was injected by miscreants who had compromised Showtime's systems.

Also at PCMag.


Original Submission

Related Stories

PolitiFact Hacked to Mine Cryptocurrency Using Visitors' Web Browsers 11 comments

On Friday, the fact-checking website PolitiFact was found to hog its visitors' CPU cycles by using maliciously added JavaScript to mine the cryptocurrency Monero:

A fact-checking website was hacked to mine cryptocurrency over the internet browsers of its unsuspecting visitors. The Pulitzer Prize-winning website, PolitiFact, is devoted to sorting out the truth in US politics. But on Friday, it was found secretly hogging the computer resources of those who visited the site.

Independent security researcher Troy Mursch tweeted about the issue after noticing signs of a cryptocurrency miner in the website's code.

[...] Mursch said the code comes from a company called Coinhive, which developed a controversial cryptocurrency miner to help businesses find a new way to generate online revenue.

However, the Coinhive miner tends to be used in sketchy websites that pirate content or offer porn, according to AdGuard, an ad-blocking service. These sites often struggle to make money from online advertising, so they have to experiment with new ways to make money. AdGuard found 220 websites using a cryptocurrency mining code in a study it released on Thursday.

Does this count as good or bad press for a small-time cryptocurrency?

Also at TechCrunch, The Register, and Cryptovest. Coinhive blog statement from September regarding malicious use.

Previously: Showtime Streaming Service Included JavaScript to Mine Cryptocurrency Using Web Browsers


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough

Mark All as Read

Mark All as Unread

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: -1, Troll) by Anonymous Coward on Wednesday September 27, @10:43PM

    by Anonymous Coward on Wednesday September 27, @10:43PM (#574076)

    Dark. Hard. 🅳🅸🅲🅺 🅽🅸🅶🅶🅴🆁🆂.

    Yeah so we never fuck no old pussy.

    You know we fuck whole lots of young pussy.

    🅳🅸🅲🅺 🅽🅸🅶🅶🅴🆁🆂 gonna give ya the full mineshaft of black hot niggercode cryptocum.

  • (Score: 3, Interesting) by edIII on Wednesday September 27, @11:34PM (14 children)

    by edIII (791) Subscriber Badge on Wednesday September 27, @11:34PM (#574093)

    Seriously. As long as the javascript was vetted, and it doesn't inject any more code from 3rd parties, it could be a viable payment method for Soylent. I got a big ol' honking CPU plus a Nvidia 1070 under the hood. I would not mind at all having a browser open on a different workspace in the background while I work. If I need the processing power I can always close the page.

    My issues with javascript are just security ones. I have no real problems with it otherwise, and I ran the Piwik code while Soylent was using it. I've bought a few subs, but at $97 per coin, if I can generate a coin per year, I would end up contributing more to Soylent.

    • (Score: 5, Insightful) by takyon on Wednesday September 27, @11:39PM (7 children)

      by takyon (881) <takyonNO@SPAMsoylentnews.org> on Wednesday September 27, @11:39PM (#574095) Journal

      Wouldn't it be more efficient and ethical to have users run the mining code themselves and donate the currency to a Soylent wallet?

      --
      [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
      • (Score: 4, Funny) by Anonymous Coward on Wednesday September 27, @11:43PM

        by Anonymous Coward on Wednesday September 27, @11:43PM (#574099)

        SSShhh... that's the logical solution so of course that means it won't be considered at all what-so-ever.

      • (Score: 0) by Anonymous Coward on Thursday September 28, @12:02AM (2 children)

        by Anonymous Coward on Thursday September 28, @12:02AM (#574108)

        Especially since JavaScript miners are, as I understand it, completely unable to access the GPU resources. Although, that isn't much help as even GPU mining isn't really effective without a super powerful card, because of all the ASIC and FPGA miners out there.

        • (Score: 2) by JNCF on Thursday September 28, @12:07AM

          by JNCF (4317) Subscriber Badge on Thursday September 28, @12:07AM (#574110) Journal

          IIRC, the code I've seen used funky WebGL shaders I didn't grok to mine BTC through the GPU.

        • (Score: 2) by JNCF on Thursday September 28, @12:12AM

          by JNCF (4317) Subscriber Badge on Thursday September 28, @12:12AM (#574112) Journal

          Also, whether or not GPU mining is competitive depends on whether or not the coin using a given algorithm is valuable enough to warrant the production of special-purpose hardware. Some coins have no ASICs yet. Note that CBS/hackers-of-CBS used Monero, not Bitcoin (I don't know if there are ASICS targeting Monero yet, but I doubt it based on their choice).

      • (Score: 3, Informative) by edIII on Thursday September 28, @01:44AM (2 children)

        by edIII (791) Subscriber Badge on Thursday September 28, @01:44AM (#574165)

        Well.... perhaps, but that doesn't let me be a lazy bastard and just expect you to make it happen :)

        Now that I think about it, with as many devices that I have that could also operate a modern web browser, it might not be a bad idea to look into getting the JS code myself and hosting a server.

        • (Score: 2) by hemocyanin on Thursday September 28, @02:45PM (1 child)

          by hemocyanin (186) on Thursday September 28, @02:45PM (#574360)

          Honestly, I'm not going to go out of my way to set up any mining software, make a transfer, blah blah blah. I just have too many things going on to add yet another thing to figure out, especially one I'm not that interested in (I've never participated in the crypto-currency scene).

          However, I very much like the idea you mentioned though, of just letting Soylent figure it out and handle the mining. I don't see any ethical issues at all provided it is an "opt-in" system. Running it in secret would be problematic because some people may need to save money on electricity, but to say to users "hey, you can help Soylent out by letting us run some mining software in the background while you're logged in, will you let us do it?" is 100% pure and ethical. It would also let people who can't or don't by subscriptions help out and if that makes them warm fuzzies, it's 110% ethical.

          • (Score: 2) by hemocyanin on Thursday September 28, @02:47PM

            by hemocyanin (186) on Thursday September 28, @02:47PM (#574362)

            Change "_makes_ them warm fuzzies" to "_gives_ them warm fuzzies".

            I've even had coffee already dang it.

    • (Score: 2, Touché) by Anonymous Coward on Thursday September 28, @12:42AM (3 children)

      by Anonymous Coward on Thursday September 28, @12:42AM (#574121)

      You don't pay for your own power, do you?

      • (Score: 2) by JNCF on Thursday September 28, @12:47AM (1 child)

        by JNCF (4317) Subscriber Badge on Thursday September 28, @12:47AM (#574123) Journal

        He did say "while I work." I used to run SETI@home on a company computer overnight, but the company was aware.

        • (Score: 1, Funny) by Anonymous Coward on Thursday September 28, @05:29PM

          by Anonymous Coward on Thursday September 28, @05:29PM (#574453)

          My company did the same thing for awhile thanks to some perverse incentives. They paid a flat rate for a set number of kWh per day (4 A.M. to 4 A.M.) to get a break on rates, with overages being charged at insane rates. Well, they were in a use it or lose it situation, so the IT department would have the machines boot into Linux and run various SMART and other diagnostics, along with BOINC in a VM. The central manager would issue stop orders at 4 A.M. or when they got too close to the kWh limit, whichever came first and the machines would reboot in time for work the next day. Suffice to say, that arrangement only lasted the minimum amount of time before getting terminated by the managing company because by the end of it, most companies in the building started doing various things like that, which resulted in a drastic increase in power usage bills to the managing company.

      • (Score: 0) by Anonymous Coward on Thursday September 28, @02:02PM

        by Anonymous Coward on Thursday September 28, @02:02PM (#574341)

        Of course not. Mom does.

    • (Score: 2) by maxwell demon on Thursday September 28, @04:41AM (1 child)

      by maxwell demon (1608) Subscriber Badge on Thursday September 28, @04:41AM (#574215) Journal

      Seriously. As long as the javascript was vetted, and it doesn't inject any more code from 3rd parties, it could be a viable payment method for Soylent.

      You are aware that quite a few users of SN have JavaScript disabled? I actually have JS enabled for SN. But if SN started to eat my processor cycles, I'd reverse that decision. I don't want SN to eat my processor cycles whenever I visit it, especially when on battery. Or when at work, where it may steal cycles from work-related processing. And where Bitcoin mining on work computers is explicitly forbidden BTW.

      --
      The Tao of math: The numbers you can count are not the real numbers.
      • (Score: 4, Interesting) by edIII on Thursday September 28, @08:43AM

        by edIII (791) Subscriber Badge on Thursday September 28, @08:43AM (#574285)

        Dude, I wasn't talking about every single page. It could be a link to the side where you can voluntarily load the dedicated page with the mining script. I would browse articles and comments in other tabs without JS.

        Injecting code into every page would be overkill. Once per session is fine, and the dedicated page allows you to decide when you're contributing or not. Takyon had the right idea though, but it wouldn't be a bad idea to have a howto link in our profiles with the code ready for download and customization. Then I can run it from my own webserver, or just load it up locally.

        I wasn't suggesting work computers or servers. Although, I have enough authority to do so anyways. For that matter, any virtual instances are already paid for. It makes no difference whether you did a full processing load or not, you're still charged for it in that second. Power, CPU, GPU, all rolled into one rate per second. On those machines, it literally makes no sense to not take advantage of the processing cycles. Of course, these are on my own servers. For clients I would never install and run unauthorized code in the first place.

  • (Score: 4, Insightful) by bob_super on Wednesday September 27, @11:35PM (4 children)

    by bob_super (1357) on Wednesday September 27, @11:35PM (#574094)

    Good, we now have a concrete thing to point at when we tell relatives that they should use NoScript, despite how annoying it can be.

    • (Score: 0) by Anonymous Coward on Thursday September 28, @04:23AM (1 child)

      by Anonymous Coward on Thursday September 28, @04:23AM (#574207)

      Exactly. How many other sites do this and other even more underhanded things? We have no idea, how reassuring. Your money and reputation is at stake.

      But we have the choice to not run their concoction. Use it.

      • (Score: 1) by anubi on Thursday September 28, @05:11AM

        by anubi (2828) Subscriber Badge on Thursday September 28, @05:11AM (#574223)

        Maybe this explains why after visiting some sites, I have to reboot Firefox to get my CPU off the rail. I usually don't notice it until my computer gets really sluggish, and I open up the resource monitor to see what's gone wrong. Rarely happens when I am using NoScript, but often happens on my phone, when I usually have to completely close out the browser and restart it to clear.

        I feel I have to put up with these annoyances because some web planning committee approved these protocols, knowing full good and well they could be used to harass, but approved because some supporter wanted them put in so he could backdoor his code into someone else's computer to force the display of likely unwanted content, covertly collect information, or act as his rights enforcement agent.

        As long as we tolerate DRM, we are going to have this.

        While DRM can be used for "rights management", running a rights enforcement agent in someone else's machine against their will, it can also be used to run any arbitrary code in someone else's machine against their will - often having disastrous result.

        We may think a nation full of dumbed-down DRM-accepting sheeple as profitable for someone claiming rights to something, as we are used to things like farming, mining, or manufacturing, where the resources we are exploiting do not defend themselves. But the very DRM that enforces someone's wishlist is also quite useful for carrying out the deeds of anyone who has the knowledge to know how to ask.

        Dealing with copyright infringement is like dealing with privacy issues.

        Once you put info out there, its public. Simple as that. You basically have to trust the person you shared your little secret with not to share it to anyone else. I have no idea of how to enforce "ownership" of a "secret".

        --
        "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
    • (Score: 2) by DannyB on Thursday September 28, @05:14PM (1 child)

      by DannyB (5839) on Thursday September 28, @05:14PM (#574439)

      I've come to like uMatrix as a replacement for NoScript.

      • (Score: 2) by bob_super on Thursday September 28, @05:25PM

        by bob_super (1357) on Thursday September 28, @05:25PM (#574451)

        I don't usually blame NoScript for the tediousness of trying to view some web pages without scripts.
        I'll check uMatrix...

  • (Score: 4, Interesting) by JNCF on Wednesday September 27, @11:42PM (5 children)

    by JNCF (4317) Subscriber Badge on Wednesday September 27, @11:42PM (#574097) Journal

    Users should be told what's going on upfront, of course. That being said, good. Given that we're running arbitrary code from whoever when we browse without NoScript, why shouldn't website owners use our machines/electricity to gather cryptocurrency through a leaky bucket? Is this worse than tracking us to sell our profiles to ad firms, or displaying annoying ads that take up the processing power of our brains? I like the idea of this revenue model, though I think it would ideally be paired with a premium option sans mining.

    I know there's an open-source library for mining Bitcoin with JavaScript, but Bitcoin isn't ideal (it should use a coin that is efficient with GPUs in the moment, whichever moment it happens to be).

    • (Score: 2) by aristarchus on Wednesday September 27, @11:51PM (1 child)

      by aristarchus (2645) Subscriber Badge on Wednesday September 27, @11:51PM (#574106) Journal

      (it should use a coin that is efficient with GPUs in the moment, whichever moment it happens to be).

      DogeCoin? Is that still a thing? If not, it would be super efficient!

      --
      I will also be deleting any 'alt-right' stories
      • (Score: 2) by JNCF on Thursday September 28, @12:04AM

        by JNCF (4317) Subscriber Badge on Thursday September 28, @12:04AM (#574109) Journal

        Since practically nobody cared to mine an inflationary currency, and miners are necessary for security in a PoW system, DogeCoin can now be merge mined with LiteCoin. The ASICs, they are everywhere.

    • (Score: 2) by Reziac on Thursday September 28, @02:48AM

      by Reziac (2489) on Thursday September 28, @02:48AM (#574184) Homepage

      How about pay me a percentage of what's mined using my hardware and electricity? then maybe I'll let you borrow my CPU.

    • (Score: 0) by Anonymous Coward on Thursday September 28, @04:34PM (1 child)

      by Anonymous Coward on Thursday September 28, @04:34PM (#574416)

      I know there's an open-source library for mining Bitcoin with JavaScript, but Bitcoin isn't ideal (it should use a coin that is efficient with GPUs in the moment, whichever moment it happens to be).

      That quite literally defeats the whole point of a cryptocurrency. The whole idea is that it's hard to derive, and therefore rare. The more efficient it is with the GPU, the easier it is to mine, and thus the less viable the currency is.

      For example, imagine there is a currency where you just need to select a floating point number which hasn't been used. There would be transfinite many coins, and thus absolutely worthless to everybody.

      • (Score: 2) by JNCF on Thursday September 28, @08:40PM

        by JNCF (4317) Subscriber Badge on Thursday September 28, @08:40PM (#574523) Journal

        That quite literally defeats the whole point of a cryptocurrency. The whole idea is that it's hard to derive, and therefore rare. The more efficient it is with the GPU, the easier it is to mine, and thus the less viable the currency is.

        An ASIC is just an Application Specific Integrated Chip, or a hardware implementation of a given algorithm. When the value of block hashing passes some point, people will start designing hardware to hash blocks more efficiently. When it becomes uncompetitive to mine using off the shelf hardware, the barrier of entry for new miners has been raised and we can expect comparative fewer miners participating in the ecosystem. If we believed that security was improved by having a greater diversity of miners, thus making it harder for miners to conspire in a 51% (or less) attack, we would want off the shelf hardware to be competitive. For this reason coins have been designed to be ASIC-resistant by employing algorithms that GPUs are particularly good at, most notably LiteCoin with it's scrypt algorithm. When LiteCoin passed a certain point of value it still made financial sense to start producing ASICs that targeted scrypt.

        All that said, I'm not even convinced that ASIC-resistance is something that should be strived for. In the long run, dedicated hardware might be fine. But let's consider this from the perspective of a selfish entity operating in the current landscape, not caring about what should be but instead what is. Given that some coins have reached such value that GPUs are not competitive, and some coins have not reached such value, we can mine the latter coins on off the shelf hardware that users are using to visit webpages while attempting to mine the former coins with that same hardware will be very unlikely to result in anything. The coins we can mine can then be traded for coins we can't practically mine, so we don't care about the long term viability of the currency we're mining. We don't even care if it's an efficient use of electricity to mine the coins, because we aren't paying for the electricity -- our users are. The coins just have to cover server and maintenance costs, or supplement some other income to help cover those costs.

        For example, imagine there is a currency where you just need to select a floating point number which hasn't been used. There would be transfinite many coins, and thus absolutely worthless to everybody.

        With no further rules, there could eventually be a ridiculously large number of coins mined (though still theoretically finite -- you can't keep mining after heat death unless we come up with a wacky time-crystal based turing machine). Real PoW cryptocurrencies employ scaling difficulties; in the case of Bitcoin this takes the form of an increasing (or theoretically decreasing if mining scales down for too long) number of leading zeros in the hash of a block. We could swap out the hashing algorithm while keeping the scaling difficulty and new ASICs would need to be designed, but the time it takes for blocks to be mined wouldn't really be affected in the long term.

  • (Score: 0) by Anonymous Coward on Thursday September 28, @12:36AM

    by Anonymous Coward on Thursday September 28, @12:36AM (#574116)

    XBS more appropriately.

  • (Score: 5, Interesting) by goodie on Thursday September 28, @12:36AM

    by goodie (1877) on Thursday September 28, @12:36AM (#574118) Journal

    Many people who "program" for a living really just do copy/paste/tweak stuff they find online until it works, with no code review or QA process in place to check for this type of stupidity. That's where I'd put my (crypto)money ;)

  • (Score: 2) by Bot on Thursday September 28, @02:00PM

    by Bot (3902) Subscriber Badge on Thursday September 28, @02:00PM (#574339)

    as if a million users, formerly considered as the nerds whose browsers "don't work", suddenly started admiring the noscript icon on their screens with a smug smile.

  • (Score: 4, Insightful) by nobu_the_bard on Thursday September 28, @02:43PM

    by nobu_the_bard (6373) on Thursday September 28, @02:43PM (#574358)

    Why assume someone broke in? It could have been a contracted web developer who thought he was being clever. It doesn't need to have been a "miscreant".

  • (Score: 2) by DannyB on Thursday September 28, @05:08PM

    by DannyB (5839) on Thursday September 28, @05:08PM (#574436)

    The JavaScript, which appeared on the sites at the start of the weekend and vanished by Monday, sits between HTML comment tags that appear to be an insert from web analytics biz New Relic.

    Why send HTML comment tags to browsers?

(1)