SoylentNews is people
SoylentNews
Showtime, a premium cable, satellite, and streaming television service owned by CBS, included JavaScript on two of its domains that used users' web browsers to mine the cryptocurrency Monero:
The websites of US telly giant CBS's Showtime contained JavaScript that secretly commandeered viewers' web browsers over the weekend to mine cryptocurrency.
The flagship Showtime.com and its instant-access ShowtimeAnytime.com sibling silently pulled in code that caused browsers to blow spare processor time calculating new Monero coins – a privacy-focused alternative to the ever-popular Bitcoin. The hidden software typically consumed as much as 60 per cent of CPU capacity on computers visiting the sites.
The scripts were written by Code Hive, a legit outfit that provides JavaScript to website owners: webmasters add the code to their pages so that they can earn slivers of cash from each visitor as an alternative to serving adverts to generate revenue. Over time, money mined by the Code-Hive-hosted scripts adds up and is transferred from Coin Hive to the site's administrators. One Monero coin, 1 XMR, is worth about $92 right now.
However, it's extremely unlikely that a large corporation like CBS would smuggle such a piece of mining code onto its dot-coms – especially since it charges subscribers to watch the hit TV shows online – suggesting someone hacked the websites' source code to insert the mining JavaScript and make a quick buck.
The JavaScript, which appeared on the sites at the start of the weekend and vanished by Monday, sits between HTML comment tags that appear to be an insert from web analytics biz New Relic. Again, it is unlikely that an analytics company would deliberately stash coin-mining scripts onto its customers' pages, so the code must have come from another source – or was injected by miscreants who had compromised Showtime's systems.
Also at PCMag.
(Score: -1, Troll) by Anonymous Coward on Wednesday September 27 2017, @10:43PM
Dark. Hard. 🅳🅸🅲🅺 🅽🅸🅶🅶🅴🆁🆂.
Yeah so we never fuck no old pussy.
You know we fuck whole lots of young pussy.
🅳🅸🅲🅺 🅽🅸🅶🅶🅴🆁🆂 gonna give ya the full mineshaft of black hot niggercode cryptocum.
(Score: 3, Interesting) by edIII on Wednesday September 27 2017, @11:34PM (14 children)
Seriously. As long as the javascript was vetted, and it doesn't inject any more code from 3rd parties, it could be a viable payment method for Soylent. I got a big ol' honking CPU plus a Nvidia 1070 under the hood. I would not mind at all having a browser open on a different workspace in the background while I work. If I need the processing power I can always close the page.
My issues with javascript are just security ones. I have no real problems with it otherwise, and I ran the Piwik code while Soylent was using it. I've bought a few subs, but at $97 per coin, if I can generate a coin per year, I would end up contributing more to Soylent.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 5, Insightful) by takyon on Wednesday September 27 2017, @11:39PM (7 children)
Wouldn't it be more efficient and ethical to have users run the mining code themselves and donate the currency to a Soylent wallet?
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 4, Funny) by Anonymous Coward on Wednesday September 27 2017, @11:43PM
SSShhh... that's the logical solution so of course that means it won't be considered at all what-so-ever.
(Score: 0) by Anonymous Coward on Thursday September 28 2017, @12:02AM (2 children)
Especially since JavaScript miners are, as I understand it, completely unable to access the GPU resources. Although, that isn't much help as even GPU mining isn't really effective without a super powerful card, because of all the ASIC and FPGA miners out there.
(Score: 2) by JNCF on Thursday September 28 2017, @12:07AM
IIRC, the code I've seen used funky WebGL shaders I didn't grok to mine BTC through the GPU.
(Score: 2) by JNCF on Thursday September 28 2017, @12:12AM
Also, whether or not GPU mining is competitive depends on whether or not the coin using a given algorithm is valuable enough to warrant the production of special-purpose hardware. Some coins have no ASICs yet. Note that CBS/hackers-of-CBS used Monero, not Bitcoin (I don't know if there are ASICS targeting Monero yet, but I doubt it based on their choice).
(Score: 3, Informative) by edIII on Thursday September 28 2017, @01:44AM (2 children)
Well.... perhaps, but that doesn't let me be a lazy bastard and just expect you to make it happen :)
Now that I think about it, with as many devices that I have that could also operate a modern web browser, it might not be a bad idea to look into getting the JS code myself and hosting a server.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by hemocyanin on Thursday September 28 2017, @02:45PM (1 child)
Honestly, I'm not going to go out of my way to set up any mining software, make a transfer, blah blah blah. I just have too many things going on to add yet another thing to figure out, especially one I'm not that interested in (I've never participated in the crypto-currency scene).
However, I very much like the idea you mentioned though, of just letting Soylent figure it out and handle the mining. I don't see any ethical issues at all provided it is an "opt-in" system. Running it in secret would be problematic because some people may need to save money on electricity, but to say to users "hey, you can help Soylent out by letting us run some mining software in the background while you're logged in, will you let us do it?" is 100% pure and ethical. It would also let people who can't or don't by subscriptions help out and if that makes them warm fuzzies, it's 110% ethical.
(Score: 2) by hemocyanin on Thursday September 28 2017, @02:47PM
Change "_makes_ them warm fuzzies" to "_gives_ them warm fuzzies".
I've even had coffee already dang it.
(Score: 2, Touché) by Anonymous Coward on Thursday September 28 2017, @12:42AM (3 children)
You don't pay for your own power, do you?
(Score: 2) by JNCF on Thursday September 28 2017, @12:47AM (1 child)
He did say "while I work." I used to run SETI@home on a company computer overnight, but the company was aware.
(Score: 1, Funny) by Anonymous Coward on Thursday September 28 2017, @05:29PM
My company did the same thing for awhile thanks to some perverse incentives. They paid a flat rate for a set number of kWh per day (4 A.M. to 4 A.M.) to get a break on rates, with overages being charged at insane rates. Well, they were in a use it or lose it situation, so the IT department would have the machines boot into Linux and run various SMART and other diagnostics, along with BOINC in a VM. The central manager would issue stop orders at 4 A.M. or when they got too close to the kWh limit, whichever came first and the machines would reboot in time for work the next day. Suffice to say, that arrangement only lasted the minimum amount of time before getting terminated by the managing company because by the end of it, most companies in the building started doing various things like that, which resulted in a drastic increase in power usage bills to the managing company.
(Score: 0) by Anonymous Coward on Thursday September 28 2017, @02:02PM
Of course not. Mom does.
(Score: 2) by maxwell demon on Thursday September 28 2017, @04:41AM (1 child)
You are aware that quite a few users of SN have JavaScript disabled? I actually have JS enabled for SN. But if SN started to eat my processor cycles, I'd reverse that decision. I don't want SN to eat my processor cycles whenever I visit it, especially when on battery. Or when at work, where it may steal cycles from work-related processing. And where Bitcoin mining on work computers is explicitly forbidden BTW.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 4, Interesting) by edIII on Thursday September 28 2017, @08:43AM
Dude, I wasn't talking about every single page. It could be a link to the side where you can voluntarily load the dedicated page with the mining script. I would browse articles and comments in other tabs without JS.
Injecting code into every page would be overkill. Once per session is fine, and the dedicated page allows you to decide when you're contributing or not. Takyon had the right idea though, but it wouldn't be a bad idea to have a howto link in our profiles with the code ready for download and customization. Then I can run it from my own webserver, or just load it up locally.
I wasn't suggesting work computers or servers. Although, I have enough authority to do so anyways. For that matter, any virtual instances are already paid for. It makes no difference whether you did a full processing load or not, you're still charged for it in that second. Power, CPU, GPU, all rolled into one rate per second. On those machines, it literally makes no sense to not take advantage of the processing cycles. Of course, these are on my own servers. For clients I would never install and run unauthorized code in the first place.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 4, Insightful) by bob_super on Wednesday September 27 2017, @11:35PM (4 children)
Good, we now have a concrete thing to point at when we tell relatives that they should use NoScript, despite how annoying it can be.
(Score: 0) by Anonymous Coward on Thursday September 28 2017, @04:23AM (1 child)
Exactly. How many other sites do this and other even more underhanded things? We have no idea, how reassuring. Your money and reputation is at stake.
But we have the choice to not run their concoction. Use it.
(Score: 1) by anubi on Thursday September 28 2017, @05:11AM
Maybe this explains why after visiting some sites, I have to reboot Firefox to get my CPU off the rail. I usually don't notice it until my computer gets really sluggish, and I open up the resource monitor to see what's gone wrong. Rarely happens when I am using NoScript, but often happens on my phone, when I usually have to completely close out the browser and restart it to clear.
I feel I have to put up with these annoyances because some web planning committee approved these protocols, knowing full good and well they could be used to harass, but approved because some supporter wanted them put in so he could backdoor his code into someone else's computer to force the display of likely unwanted content, covertly collect information, or act as his rights enforcement agent.
As long as we tolerate DRM, we are going to have this.
While DRM can be used for "rights management", running a rights enforcement agent in someone else's machine against their will, it can also be used to run any arbitrary code in someone else's machine against their will - often having disastrous result.
We may think a nation full of dumbed-down DRM-accepting sheeple as profitable for someone claiming rights to something, as we are used to things like farming, mining, or manufacturing, where the resources we are exploiting do not defend themselves. But the very DRM that enforces someone's wishlist is also quite useful for carrying out the deeds of anyone who has the knowledge to know how to ask.
Dealing with copyright infringement is like dealing with privacy issues.
Once you put info out there, its public. Simple as that. You basically have to trust the person you shared your little secret with not to share it to anyone else. I have no idea of how to enforce "ownership" of a "secret".
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by DannyB on Thursday September 28 2017, @05:14PM (1 child)
I've come to like uMatrix as a replacement for NoScript.
The lower I set my standards the more accomplishments I have.
(Score: 2) by bob_super on Thursday September 28 2017, @05:25PM
I don't usually blame NoScript for the tediousness of trying to view some web pages without scripts.
I'll check uMatrix...
(Score: 4, Interesting) by JNCF on Wednesday September 27 2017, @11:42PM (5 children)
Users should be told what's going on upfront, of course. That being said, good. Given that we're running arbitrary code from whoever when we browse without NoScript, why shouldn't website owners use our machines/electricity to gather cryptocurrency through a leaky bucket? Is this worse than tracking us to sell our profiles to ad firms, or displaying annoying ads that take up the processing power of our brains? I like the idea of this revenue model, though I think it would ideally be paired with a premium option sans mining.
I know there's an open-source library for mining Bitcoin with JavaScript, but Bitcoin isn't ideal (it should use a coin that is efficient with GPUs in the moment, whichever moment it happens to be).
(Score: 2) by aristarchus on Wednesday September 27 2017, @11:51PM (1 child)
DogeCoin? Is that still a thing? If not, it would be super efficient!
(Score: 2) by JNCF on Thursday September 28 2017, @12:04AM
Since practically nobody cared to mine an inflationary currency, and miners are necessary for security in a PoW system, DogeCoin can now be merge mined with LiteCoin. The ASICs, they are everywhere.
(Score: 2) by Reziac on Thursday September 28 2017, @02:48AM
How about pay me a percentage of what's mined using my hardware and electricity? then maybe I'll let you borrow my CPU.
And there is no Alkibiades to come back and save us from ourselves.
(Score: 0) by Anonymous Coward on Thursday September 28 2017, @04:34PM (1 child)
That quite literally defeats the whole point of a cryptocurrency. The whole idea is that it's hard to derive, and therefore rare. The more efficient it is with the GPU, the easier it is to mine, and thus the less viable the currency is.
For example, imagine there is a currency where you just need to select a floating point number which hasn't been used. There would be transfinite many coins, and thus absolutely worthless to everybody.
(Score: 2) by JNCF on Thursday September 28 2017, @08:40PM
An ASIC is just an Application Specific Integrated Chip, or a hardware implementation of a given algorithm. When the value of block hashing passes some point, people will start designing hardware to hash blocks more efficiently. When it becomes uncompetitive to mine using off the shelf hardware, the barrier of entry for new miners has been raised and we can expect comparative fewer miners participating in the ecosystem. If we believed that security was improved by having a greater diversity of miners, thus making it harder for miners to conspire in a 51% (or less) attack, we would want off the shelf hardware to be competitive. For this reason coins have been designed to be ASIC-resistant by employing algorithms that GPUs are particularly good at, most notably LiteCoin with it's scrypt algorithm. When LiteCoin passed a certain point of value it still made financial sense to start producing ASICs that targeted scrypt.
All that said, I'm not even convinced that ASIC-resistance is something that should be strived for. In the long run, dedicated hardware might be fine. But let's consider this from the perspective of a selfish entity operating in the current landscape, not caring about what should be but instead what is. Given that some coins have reached such value that GPUs are not competitive, and some coins have not reached such value, we can mine the latter coins on off the shelf hardware that users are using to visit webpages while attempting to mine the former coins with that same hardware will be very unlikely to result in anything. The coins we can mine can then be traded for coins we can't practically mine, so we don't care about the long term viability of the currency we're mining. We don't even care if it's an efficient use of electricity to mine the coins, because we aren't paying for the electricity -- our users are. The coins just have to cover server and maintenance costs, or supplement some other income to help cover those costs.
With no further rules, there could eventually be a ridiculously large number of coins mined (though still theoretically finite -- you can't keep mining after heat death unless we come up with a wacky time-crystal based turing machine). Real PoW cryptocurrencies employ scaling difficulties; in the case of Bitcoin this takes the form of an increasing (or theoretically decreasing if mining scales down for too long) number of leading zeros in the hash of a block. We could swap out the hashing algorithm while keeping the scaling difficulty and new ASICs would need to be designed, but the time it takes for blocks to be mined wouldn't really be affected in the long term.
(Score: 0) by Anonymous Coward on Thursday September 28 2017, @12:36AM
XBS more appropriately.
(Score: 5, Interesting) by goodie on Thursday September 28 2017, @12:36AM
Many people who "program" for a living really just do copy/paste/tweak stuff they find online until it works, with no code review or QA process in place to check for this type of stupidity. That's where I'd put my (crypto)money ;)
(Score: 2) by Bot on Thursday September 28 2017, @02:00PM
as if a million users, formerly considered as the nerds whose browsers "don't work", suddenly started admiring the noscript icon on their screens with a smug smile.
Account abandoned.
(Score: 4, Insightful) by nobu_the_bard on Thursday September 28 2017, @02:43PM
Why assume someone broke in? It could have been a contracted web developer who thought he was being clever. It doesn't need to have been a "miscreant".
(Score: 2) by DannyB on Thursday September 28 2017, @05:08PM
Why send HTML comment tags to browsers?
The lower I set my standards the more accomplishments I have.