from the got-to-pay-for-those-adverts-somehow dept.
The news outlet Salon is allowing Adblock-using visitors to opt-in to using the JavaScript-based Coinhive tool to mine the cryptocurrency Monero:
Other sites have used cryptocurrency mining in lieu of (or in addition to) advertising. Sometimes, it's done surreptitiously without users' consent — The Pirate Bay admitted to secretly adding Coinhive integration last year, and hackers have planted mining malware on other sites. In this case, it's an opt-in program; a spokesperson tells FT that testing started on Monday.
Salon has an FAQ explaining this move.
Also at Ars Technica.
Related: Showtime Streaming Service Included JavaScript to Mine Cryptocurrency Using Web Browsers
PolitiFact Hacked to Mine Cryptocurrency Using Visitors' Web Browsers
Wi-Fi at Starbucks Buenos Aires Has Computers Mine Crypto-Currency
Bitcoin Hype Pushes Hackers to Lesser-Known Cryptocurrencies
Thousands of Websites Hijacked by Hidden Crypto-Mining Code After Popular Plugin Pwned
Related Stories
Showtime, a premium cable, satellite, and streaming television service owned by CBS, included JavaScript on two of its domains that used users' web browsers to mine the cryptocurrency Monero:
The websites of US telly giant CBS's Showtime contained JavaScript that secretly commandeered viewers' web browsers over the weekend to mine cryptocurrency.
The flagship Showtime.com and its instant-access ShowtimeAnytime.com sibling silently pulled in code that caused browsers to blow spare processor time calculating new Monero coins – a privacy-focused alternative to the ever-popular Bitcoin. The hidden software typically consumed as much as 60 per cent of CPU capacity on computers visiting the sites.
The scripts were written by Code Hive, a legit outfit that provides JavaScript to website owners: webmasters add the code to their pages so that they can earn slivers of cash from each visitor as an alternative to serving adverts to generate revenue. Over time, money mined by the Code-Hive-hosted scripts adds up and is transferred from Coin Hive to the site's administrators. One Monero coin, 1 XMR, is worth about $92 right now.
However, it's extremely unlikely that a large corporation like CBS would smuggle such a piece of mining code onto its dot-coms – especially since it charges subscribers to watch the hit TV shows online – suggesting someone hacked the websites' source code to insert the mining JavaScript and make a quick buck.
The JavaScript, which appeared on the sites at the start of the weekend and vanished by Monday, sits between HTML comment tags that appear to be an insert from web analytics biz New Relic. Again, it is unlikely that an analytics company would deliberately stash coin-mining scripts onto its customers' pages, so the code must have come from another source – or was injected by miscreants who had compromised Showtime's systems.
Also at PCMag.
On Friday, the fact-checking website PolitiFact was found to hog its visitors' CPU cycles by using maliciously added JavaScript to mine the cryptocurrency Monero:
A fact-checking website was hacked to mine cryptocurrency over the internet browsers of its unsuspecting visitors. The Pulitzer Prize-winning website, PolitiFact, is devoted to sorting out the truth in US politics. But on Friday, it was found secretly hogging the computer resources of those who visited the site.
Independent security researcher Troy Mursch tweeted about the issue after noticing signs of a cryptocurrency miner in the website's code.
[...] Mursch said the code comes from a company called Coinhive, which developed a controversial cryptocurrency miner to help businesses find a new way to generate online revenue.
However, the Coinhive miner tends to be used in sketchy websites that pirate content or offer porn, according to AdGuard, an ad-blocking service. These sites often struggle to make money from online advertising, so they have to experiment with new ways to make money. AdGuard found 220 websites using a cryptocurrency mining code in a study it released on Thursday.
Does this count as good or bad press for a small-time cryptocurrency?
Also at TechCrunch, The Register, and Cryptovest. Coinhive blog statement from September regarding malicious use.
Previously: Showtime Streaming Service Included JavaScript to Mine Cryptocurrency Using Web Browsers
We've discussed the potential for stealing CPU cycles from javascript-enabled browsers many a time. It seems one coffee shop in Buenos Aires has put it into practice:
A customer of Starbucks Buenos Aires accused the popular café company of illegally mining Bitcoin using his personal laptop. Noah Dinkin, the man who discovered that his laptop was being used to mine cryptocurrency via Starbucks' free WiFi, tweeted a screenshot to prove it. [It] shows that the WiFi provider in Starbucks Buenos Aires forces a 10 second delay when you first connect to the WiFi so it can mine crypto using the customer's laptop.
Starbucks responded to Dinkin on Twitter to clear up the accusation 10 days later.
Other twitterers pointed out that the crypto-currency in question was in fact Monero, not Bitcoin.
Also covered by The Register and the BBC among others.
Submitted via IRC for SoyCow8317
Cybercriminals are increasingly moving away from bitcoin as their preferred digital currency in favor of lesser-known cryptocurrencies because of prolonged transaction delays, surging transaction costs and general market volatility, experts tell CyberScoop.
Although cybercriminals have been slowly moving away from bitcoin for months, researchers say a noticeable shift towards alternative coins — such as Monero, Dash and ZCash — occurred when bitcoin's value skyrocketed over $19,000 for one bitcoin in mid-December. The price has drastically fluctuated between $12,000 and roughly $19,000 since then.
"Many cybercriminals emulate the operational best practices of legitimate businesses in order to minimize their overhead costs and maximize returns, and in the case of high transaction costs with bitcoin, it makes perfect sense to look at other coins with smaller overheads," said Richard Henderson, a global security strategist with endpoint cybersecurity firm Absolute.
Submitted via IRC for Bytram
Thousands of websites around the world – from the UK's NHS and ICO to the US government's court system – were today secretly mining crypto-coins on netizens' web browsers for miscreants unknown.
The affected sites all use a fairly popular plugin called Browsealoud, made by Brit biz Texthelp, which reads out webpages for blind or partially sighted people.
This technology was compromised in some way – either by hackers or rogue insiders altering Browsealoud's source code – to silently inject Coinhive's Monero miner into every webpage offering Browsealoud.
For several hours today, anyone who visited a site that embedded Browsealoud inadvertently ran this hidden mining code on their computer, generating money for the miscreants behind the caper.
Source: https://www.theregister.co.uk/2018/02/11/browsealoud_compromised_coinhive/
(Score: 3, Interesting) by Anonymous Coward on Wednesday February 14 2018, @03:23PM (23 children)
While this might seem silly, I'm ok with them doing this as long as they are upfront with it.
Admittedly, JS miners are probably the least efficient of them all, but if media needs a new way to support themselves, asking visitors to have their computers work for them seems an easier sell than online subscriptions, and more honest than ads, IMO.
(Score: 4, Insightful) by Anonymous Coward on Wednesday February 14 2018, @03:46PM (5 children)
If a company can mine shitcoins instead of ads, they'll mine shitcoins as well as ads.
(Score: 0) by Anonymous Coward on Wednesday February 14 2018, @04:02PM
Yes, this is true.
(Score: 1) by Paradise Pete on Wednesday February 14 2018, @04:17PM (2 children)
That depends. If not running ads mean sufficiently more visitors and more mining, then they won't run ads. It wouldn't make sense.
(Score: 4, Insightful) by frojack on Wednesday February 14 2018, @06:44PM (1 child)
Seriously?
When have you ever seen them back off running ads? Even in the face of rampant adblockers they just kept piling on more ads.
Remember that these sites incur zero costs when running ads. They don't pay that bandwidth, they just include a link to an advertising network. They don't even have lot of say about the type of ads.
No, you are mistaken. I've always had this sig.
(Score: 1) by Paradise Pete on Saturday February 17 2018, @05:17PM
Was my post not clear? If running more ads means sufficiently less mining, then it would be counter-productive to run more ads. You and a few moderators did not understand this?
(Score: 2) by chromas on Thursday February 15 2018, @01:48AM
True, but Adblock. I'd be more inclined to let a site inefficiently mine a buttcoin than deactivate uBlock for it (where 0>0).
(Score: 3, Insightful) by melikamp on Wednesday February 14 2018, @03:56PM (7 children)
So instead of fucking our eyeballs and gray cells, they are gonna fuck our cpus, buses, and network?
I said it before, and I'll say it again: fuck JavaScript. Fuck it not as a language, but as an ecosystem. All JS drive-by-downloading needs to be urgently replaced by standardized calls to locally-installed free+libre software library.
And if you think that this initial stage of outrage will somehow stem the tide of cycle theft, think again. (And yes, it's a real theft of my joules, not like a pretend theft of Micky Mouse's likeness, because if they use my cycles, I can't use them anymore.) Once the initial wave of whattafuck settles down, EVERY commercial site will start mining like that. They will obfuscate the code properly, so that it's not apparent what it does, and there's not gonna be a jack shit you can do about it, except install a NoScript equivalent, which seems to be the only thing that works against this user abuse.
Perhaps eventually consumers will realize they need to demand every business to provide a 100% standard compliant HTTP+CSS front which works with a free+libre renderer, but things will get a lot worse before they get better.
(Score: 2, Touché) by Anonymous Coward on Wednesday February 14 2018, @04:29PM
"Instead"? The ads are already fucking our cpus, buses, and network. Not to mention fucking our offline data and wallets through viruses, ransomware, and other malware spread by ad networks.
Both cryptominer and ads use ridiculous amount of resources, but a cryptominer removes malware-infested dependency on ad networks, and spares your eyeballs and gray cells. It's not a good choice, but it's a drastic improvement nevertheless.
(Score: 2) by DeathMonkey on Wednesday February 14 2018, @05:23PM (2 children)
A lot easier to replace the metal-cpu than the meat-cpu...
(Score: 2) by frojack on Wednesday February 14 2018, @06:50PM (1 child)
Well Folding At Home has the capacitors on my Mobo all bulgeing because my GPU is pulling so much power through the PCI bus.
I'm now shopping for a replacement mobo - or a new machine.
With 6 or 10 browser tabs trying to monopolize my CPU cores I can see serious hardware penalties, not to mention increasing sluggish machine.
No, you are mistaken. I've always had this sig.
(Score: 2) by chromas on Thursday February 15 2018, @01:45AM
You should probably plug in the 6-pin power connector.
(Score: 3, Interesting) by crafoo on Wednesday February 14 2018, @06:02PM
If the coming abuse ends javascript I say they should step it up. Javascript was a mistake. Anything that makes it annoying to the common user is a huge win.
(Score: 2) by Pino P on Thursday February 15 2018, @05:58AM (1 child)
Good luck getting end users to port said "locally-installed free+libre software library" to their preferred desktop and mobile operating systems.
(Score: 2) by melikamp on Thursday February 15 2018, @08:02AM
(Score: 1, Interesting) by Anonymous Coward on Wednesday February 14 2018, @04:05PM (2 children)
Instead of addressing why their revenue model wasn't working they'll now wear down your GPU or CPU fans instead of infecting you with malware. The issue with ads is not ads, it's the kind of ads and the lack of accountability. You wouldn't buy food from a company that previously "accidentally" included a shot of cyanide in their produce, yet this is totally A-OK with ads.
(Score: 4, Insightful) by All Your Lawn Are Belong To Us on Wednesday February 14 2018, @05:26PM
I don't know about that. We accept salmonella infested poultry.
This sig for rent.
(Score: 2) by frojack on Wednesday February 14 2018, @06:57PM
Its also the sheer number of ads. Its the fact that the ads take up more network bandwidth and CPU than the content you were surfing for.
And on top of that all the pointless tracking from one site to the next.
Its not the fans I'm worried about.
No, you are mistaken. I've always had this sig.
(Score: 4, Insightful) by richtopia on Wednesday February 14 2018, @04:53PM (4 children)
I think it is time to start the next Paetron. People are willing to "pay" for content, but for a website the effective value of a view should be around a cent. Unfortunately any formal credit card transaction with a website is risk prone and time consuming, not to mention the credit card fees would kill small transactions. If there was a fast way to throw a couple pennies at a site when viewing I believe many people would opt into that.
(Score: 2) by everdred on Wednesday February 14 2018, @06:45PM
This kind of sounds like Flattr [wikipedia.org].
(Score: 2) by jdavidb on Wednesday February 14 2018, @06:47PM (2 children)
It's under construction at http://yours.org/ [yours.org].
ⓋⒶ☮✝🕊 Secession is the right of all sentient beings
(Score: 2) by frojack on Wednesday February 14 2018, @06:59PM (1 child)
That's just another mining scheme.
A true micro payment system would only need a tenth or a hundredth of a cent per visit to make money.
No, you are mistaken. I've always had this sig.
(Score: 2) by jdavidb on Thursday February 15 2018, @02:05PM
What? How is that mining?
ⓋⒶ☮✝🕊 Secession is the right of all sentient beings
(Score: 0) by Anonymous Coward on Wednesday February 14 2018, @10:32PM
Can a js miner even do much, in a browser running on a cpu?
(Score: 2, Interesting) by Anonymous Coward on Wednesday February 14 2018, @04:06PM (5 children)
I'm also ok with this idea, though I wish there was was something more cost-effective than JS to do this with.
And if we could get computers doing some actual *useful* work ala Folding@home, it would be a great way to destroy 90% of the current ad industry.
Though the need for blocking such scripts will become necessary almost immediately; at the moment there's no reason for websites to be honest about highjacking your cpu/gpu
(Score: 0) by Anonymous Coward on Wednesday February 14 2018, @04:09PM
They could resort to activeX or not-activeX (asm.JS) or the new DRM components shilled into the HTML standard.
(Score: 3, Funny) by takyon on Wednesday February 14 2018, @04:09PM (3 children)
How about a Salon app that mines cryptocoins while you read?
For mobile users, it could use your front-facing camera to track your eyeballs.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 0, Troll) by Anonymous Coward on Wednesday February 14 2018, @04:52PM (2 children)
I'd prefer it if it activated an anal dildo so I could get that authentic fucked-in-the-ass experience.
(Score: -1, Redundant) by Anonymous Coward on Wednesday February 14 2018, @10:44PM
MOD PARENT UP
This.
Describes the ad revenue situation perfectly
(Score: 3, Touché) by chromas on Thursday February 15 2018, @01:51AM
You can already get that experience just by reading Salon!
(Score: 1, Interesting) by Anonymous Coward on Wednesday February 14 2018, @04:18PM (8 children)
In Cascading Style Sheets, there are ways to overcome nefarious styles imposed by coders using specificity and even override a website's CSS altogether to use your own stylesheet as preferred. This logic is built into all web browsers. Why can't web browser devs simply allow a locally installed, and trusted, JavaScript library to be used by default that cuts this and much of the rest of the crap out? Have it a toggle so you can control it if desired. Why does JavaScript get a free pass yet devs now block Flash and Silverlight by default? I realize JavaScript is so engrained in the functionality of today's Internetz but its time to take back control (and it shouldn't be an add-on like a No-Script, it should be structurally part of the browser code).
If done correctly, it would shut down this crap (and advertisements for that matter) overnight - for good!
(Score: 3, Insightful) by takyon on Wednesday February 14 2018, @04:37PM (1 child)
Throwing a custom CSS stylesheet into the mix is less likely to break things than custom JavaScript or turning off the site's JS. Especially in cases where so much content or functionality is buried in heavy JS.
Firefox and other browsers have made it pretty annoying to customize CSS. Usually you will want to download an extension instead. Which is what you would do with JS to get what you want (uMatrix + Greasemonkey/Tampermonkey).
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 0) by Anonymous Coward on Thursday February 15 2018, @03:09AM
Where I come from we call that "defective."
(Score: 1, Informative) by Anonymous Coward on Wednesday February 14 2018, @04:49PM
Aks and ye shall receive:
https://addons.mozilla.org/en-US/firefox/addon/decentraleyes/ [mozilla.org]
Stores local copies of major JS libraries so you don't need to download them each time NOR provide a tracking method for every site you visit.
(Score: 2) by TheRaven on Wednesday February 14 2018, @04:54PM (2 children)
They do, they call them add-ons or extensions. For example, the browser that I'm using now doesn't support U2F out of the box, but I have an extension installed that injects some JavaScript that provides the U2F APIs into every page before it loads.
sudo mod me up
(Score: 3, Interesting) by frojack on Wednesday February 14 2018, @07:11PM (1 child)
Well if the advertising industry could get together an publish an open source add-on that could be installed ONCE, and controlled by the user as far as CPU/CPU resources that would be fair.
We could verify there was no tracking.
We could verify that bitcoin was the ONLY thing they were mining.
We could verify that it all stopped when browser shut down.
We could verify that only the current active page is allowed to mine, not those 30 background tabs millennials insist on running.
We could verify that it was "niced" to a sufficient degree that it did not impact machine usage.
We could choose not to run it at all, or only run it for 20 seconds, or what ever.
We'd be paying the electricity bill as well as the cpu cycles. We'd be burning more coal, gas, etc. We ought to be able to control some of that. Why should advertisers get a free hand at polluting the earth.
No, you are mistaken. I've always had this sig.
(Score: 2) by melikamp on Thursday February 15 2018, @08:08AM
Your ideas are intriguing to me and I wish to subscribe to your newsletter.
(Score: 2) by chromas on Thursday February 15 2018, @02:00AM
Just start shipping Python with browsers so you get a language with All the Features so you don't have to farm out to chains of remotely hosted third-party libraries. [softpedia.com]
import left-pad
Or PHP.
(Score: 2) by melikamp on Thursday February 15 2018, @08:36AM
On one hand, JavaScript has free+libre interpreters, and many people dislike shady proprietary components. On the other hand, it really shouldn't get a free pass at all: the same people seem to be turning a blind eye to running absolute mystery software from literally thousands of independent sources, with absolute zero audit. Excuse? It's sandboxed. So we got this mystery software designed to exploit you and your hardware to the fullest extent allowed by physics, but somehow knowing that it's sandboxed inside a virtual machine makes people all fuzzy and cuddly inside. Here, take my cycles, exploit my zero days, and make my web pages look like flying barf in the process. Would these people take a spiky metal rod up their wazoos if it was sandboxed into some kind of protective shell and properly lubricated? Why not? It would hurt orders of magnitude less.
(Score: 2) by All Your Lawn Are Belong To Us on Wednesday February 14 2018, @05:35PM
I finally found something for which I'll run NoScript for. Installed now. Let's see how I do controlling my script usage.
This sig for rent.
(Score: 2) by NotSanguine on Wednesday February 14 2018, @06:03PM
And here's another reason to continue in that fashion.
As for the surreptitious fuckers, I primarily use one browser with JS *disabled*. For sites that I actually want (or need) to use that require it, I use a different browser. Interestingly, since I've been using this configuration, I almost never paste a link into the JS-enabled browser when the site doesn't work without JS.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by DannyB on Wednesday February 14 2018, @06:19PM
(to repeat what I posted elsewhere a few hours ago...)
Hey Salon,
I have an even better offer for you!
How about, you run ads and mine cryptocurrency in browsers, and in exchange I'll never visit your site ever again.
Ever.
Never ever.
Even if you change this policy, I won't know about it because I will not ever visit your site again.
This is a fantastic opportunity for you and I think you should take advantage of it. What makes this such a great offer is the fact that the internet offers so many choices of sites that one can visit to obtain information.
Sincerely,
When trying to solve a problem don't ask who suffers from the problem, ask who profits from the problem.
(Score: 0) by Anonymous Coward on Wednesday February 14 2018, @06:54PM (1 child)
The funny thing is how will they tell the difference between visitors with very slow CPUs (old, mobile etc) and visitors who are throttling the mining greatly?
Do you have to mine a minimum amount before you get to view stuff? If you do then some people will weaker machines may be left out.
It'll be interesting if this actually evolves to sites getting to use your hardware in more efficient and direct ways for mining (JS is very inefficient), instead of people actually mining or buying cryptocurrency and using it to pay to view the site.
(Score: 2) by nobu_the_bard on Wednesday February 14 2018, @07:20PM
Heh. This sounds dangerously like a road that leads to needing to provide quality content to attract miners with the best hardware or internet connections.