
CBS's Showtime caught mining crypto-coins in viewers' web browsers - quigglebotts
http://go.theregister.com/feed/www.theregister.co.uk/2017/09/25/showtime_hit_with_coinmining_script/
======
brailsafe
I bet some clever person on the marketing team just went ahead and inserted
the tag. My first experience on a large corporate dev team was eye-opening.
While the core product code was version controlled and reviewed, the marketing
team had the power to insert any kind of scripts onto the page without
clearance. In theory, anything new on the page would require many ridiculous
meetings. In practice, they could and did put in whatever through a third-
party like New Relic.

~~~
wavefunction
Then your code wasn't version controlled and reviewed.

I had a similar request for Google Tags and I explained my concerns to my CTO
and voila, no Google Tags that didn't come through us.

~~~
_Codemonkeyism
It depends on the market pressure and resources you have.

Low pressure, many resources (money) => Review/Implement all Google Tags
changes

High pressure, low resources (money) => Marketing can do their own thing to
reduce pressure on the development team.

HM and LL are somewhere in between.

Classic trade off like most of the things in software development.

~~~
JoshTriplett
> High pressure, low resources (money) => Marketing can do their own thing to
> reduce pressure on the development team.

"Marketing can do their own thing" makes for _more_ work and pressure on the
development team. "Why doesn't this work in production?" "Why is this slow in
production?"

Nobody gets to skip CI, or work without coordination.

~~~
_Codemonkeyism
You're experiences differ from mine.

"Why doesn't this work in production?" -> "Because Marketing screwed up, look
at this dashboard screenshot"

"Why is this slow in production?" -> "Because Marketing screwed up, look at
this dashboard screenshot"

After some time

"Marketing can't handle this technical stuff [....]" -> "We can take over, we
need 3 more people for that"

"We don't have the money" -> "Then we will not release Mega-feature-X".

------
hellbanner
The web seriously sucks. One thing I admire, at least in theory, about Xbox
360 games or iOS apps is the limited access a specific program can run.

[https://www.youtube.com/watch?v=CiqioE1zGCw](https://www.youtube.com/watch?v=CiqioE1zGCw)
talks about this

Why is the overwhelming majority of networked software still not secure,
despite all effort to the contrary? Why is it almost certain to get exploited
so long as attackers can craft its inputs? Why is it the case that no amount
of effort seems enough to fix software that must speak certain protocols?

The answer to these questions is that for many protocols and services
currently in use on the Internet, the problem of recognizing and validating
their "good", expected inputs from bad ones is either not well-posed or is
undecidable (i.e., no algorithm can exist to solve it in the general case),
which means that their implementations cannot even be comprehensively tested,
let alone automatically checked for weaknesses or correctness. The designers'
desire for more functionality has made these protocols effectively
unsecurable.

In this talk we'll draw a direct connection between this ubiquitous insecurity
and basic computer science concepts of Turing completeness and theory of
languages. We will show how well-meant protocol designs are doomed to their
implementations becoming clusters of 0day, and will show where to look for
these 0day. We will also discuss simple principles of how to avoid designing
such protocols.

EDIT: Sandstorm was looking to fix user permissions for individual programs on
computers (they went defunct/bankrupt/no-longer-developing last I heard).

What I'm looking for is a user-facing, user-friendly structure that A) Does
only what the user wants to do eg. load site B) Explicitly does NOTHING else
eg run javascripts for cryptocurrency.

How could this work? Maybe your SecureBrowser*tm would only run Javascripts
that have their hashes, and the hash of all the simultaneous Javascripts
running on that page, approved by a network. Your client frequently checks
this blockchain (why not) to download the latest approved scripts.

~~~
kentonv
> EDIT: Sandstorm was looking to fix user permissions for individual programs
> on computers (they went defunct/bankrupt/no-longer-developing last I heard).

I'm still developing, just not full-time.

~~~
brailsafe
Nice job on that house you have there. Looks like you might even be able to
play Warcraft 3 over LAN without spending the entire party trying to get it
set up.

~~~
brailsafe
Edit: Though irrelevant to the thread, this is not intended to be backhanded.
Check out the house. It's pretty cool.

------
quintin
I’ve been running a miner via coin-hive.com. The earnings are ridiculously
low. With 5 ad slots, I make around $6 RPM. With coin-hive/monero, it's not
even equivalent to $0.5. Unless you are a website with the page open for hours
and you have millions of views, this does not even make sense.

Or maybe I am not doing this right.

~~~
6nf
Yes this is what I calculated as well. Regular ads are still way more
profitable - even if you somehow convince all your visitors to keep your page
open 24/7.

Even coinhive admit that you can't use this to make real money.

~~~
pr0gramm
If it's worth it depends on the site, your target audience and the ads you'd
be allowed to show based on your content.

At this point, we (Coinhive) have paid out 992 XMR (about $89.000) to our
users. We started this service 11 days ago.

~~~
jacquesm
$89.000 or $89,000?

~~~
kbart
This still doesn't clear things up (both "," and "." can be used as thousands
and fractions separation symbol, depending on locale). A more international
way is to use whitespace or nothing at all for thousands ($89 000 or $89000)
and use "," or "." (depending on locale) for fractions only.

------
rdlecler1
In the absence of an effective micropayment method, I could see this exchange
of mining for content becoming main stream that replaces commercials. The cost
to the viewer is ultimately a few cents of electricity, without the need for a
bank account information, which the content producer indirectly turns into
cash.

~~~
TeMPOraL
> _The cost to the viewer is ultimately a few cents of electricity_

And the cost to the society is few cents of electricity minus fraction of a
cent the site gets, paid in fuel being wasted on producing that electricity.

Crypto mining is a disaster. If I were an evil mastermind who wanted to deepen
the energy and climate problems of the world, cryptocurrencies is what I would
push for.

~~~
kbart
Why do you think that minor cryptocurrencies mining operations are worse in
regards of wasted fuel than playing computer games, watching mindless YouTube
videos, scrolling Facebook, leaving devices on when not used, lighting places
24/7 where nobody goes at night anyway etc.? We, as society, waste an enormous
amount of resources anyway, I don't see how mining in browser would even dent
that. Sure, these mega cryptocurrency mining stations is totally different
thing I'm not talking here about.

~~~
criddell
Mining in a browser is going to consume my battery and bandwidth and you
shouldn't be surprised that people aren't happy about that.

~~~
kbart
_" Mining in a browser is going to consume my battery and bandwidth"_

You mean just like ads do? Of course, in a perfect world we wouldn't have
either, but I just don't see clear distinction between mining in browser or
ads or other useless/annoying things (from the user perspective).

~~~
TeMPOraL
In ads, waste of electricity is a bug. The more lean you can make them, the
better (even if only because you can then put more of them). In
cryptocurrencies, waste is a _feature_. The more power you burn, the more
money you get.

One of those disincentivizes waste (howewer weakly). The other incentivizes
it.

------
sumitgt
Actually, why is this not a potential legitimate business model?

I let you stream content for free and you let me mine cryto-coins with your
spare CPU cycles while you watch. Isn't that better for people who don't like
all the tracking by ads?

~~~
crooked-v
Mining in Javascript will get you less than the infrastructure costs to
provide the videos, let alone replacing ad revenue.

~~~
cptskippy
What about a clever webgl shader to leverage the GPU?

~~~
jiggunjer
Or a browser that offers a first-class mining API. Then we'll see every device
come with a specialized mining chip. As long as you meet the required number
of hashes you get the add-free experience.

~~~
aaron-lebo
Sounds like an abomination.

~~~
jiggunjer
It might force devs to optimize code more, since there will never be any more
spare cycles muhahaha

------
nicolashahn
21st century version of
[https://en.wikipedia.org/wiki/Salami_slicing](https://en.wikipedia.org/wiki/Salami_slicing)

Can't wait for this to show up as a plot device for Mr. Robot or something.

------
brango
I wonder if sites doing this could be sued under a computer misuse act.

~~~
imaginenore
Remember Tidbit?

[https://www.eff.org/cases/rubin-v-new-jersey-
tidbit](https://www.eff.org/cases/rubin-v-new-jersey-tidbit)

------
thisisit
How soon before this kind of behavior gets worse name than actually running
ads? Coin-hive is not helping it's case by allowing people to run the miner
without approval. It wont take much time before most anti-virus/malware start
tagging it as malicious.

------
mechnesium
The buck does not stop here. Prepare for cryptomining bloatware to come
preinstalled on all your devices in the near future.

------
dmichulke
Here's a gray market "business model":

\- Hacker H hacks site, injects cryptomining script

\- Because H doesn't want other hackers to do the same, he will make the site
secure and thereby kind of "maintain" it (in a security sense)

\- Because H doesn't want the site to slow down endlessly, he will use
cryptomining "as much as possible" while still keeping the site sufficiently
responsive (otherwise traffic would go down and net income would decrease in
the long run)

End result: a kind of a symbiotic relationship between a gray hat hacker and a
standard web content provider.

~~~
usrusr
Nothing gray about that.

But it could make an entertaining short story, with H eventually sitting in
meetings with everybody not realizing that nobody hired him, H himself slowly
forgetting that, an intermediate crisis when H's position is threatened after
a merger and a dramatic finale when all is revealed after H is chosen as the
next CEO.

------
jakeogh
as if I needed another reason to browse with JS disabled.

[https://github.com/jakeogh/glide](https://github.com/jakeogh/glide) (dont use
the recent commits)

~~~
iamgopal
The other day someone was ranting about web app technologies. This is actually
nice idea. A browser without javascript. For all the fun interaction, browser
may add extensions of widgets. Let all richness be supplied by browser.

~~~
jakeogh
That would be worse than JS obfuscation of content because now it's browser
specific PLUS you gotta execute an arb program (which is the real problem) to
(maybe) get the result.

The separation of content from presentation is a fundamental building block of
the past and future of the internet. Attempts to mix the two will fail. Flash
is dead and it's close relative javascript is next. Outdated players will
resist because without JS their data is accessible.

------
brian-armstrong
Is this a violation of the CFAA? Without explicit permission to do this, it
seems an awful lot like unauthorized use

~~~
thephyber
I'm not a lawyer, so my opinion is worth what you paid for it, but...

Without an authentication bypass, I don't think the CFAA applies (last I
perused it).

The end user probably doesn't have standing under CFAA unless the website's
ToS suggested they would not act this way. If you, as a web visitor, visit a
website you are largely at the mercy of whatever plugins they load onto your
browser during that session. In exchange for access to the content on the
site, the website owner can steal your data (tracking + analytics), your
bandwidth (autoplay advertising videos), and the processing resources
associated with loading a webpage (or whatever else you can do in a webpage).

The website's owner might be able to bring a case against the person who
injected it, perhaps (depending on who it was and who authorized it). The
infraction may not be "breaking into" a computer as the CFAA requires if it
was a CBS/Showtime employee/contractor who did it. It is almost certainly
grounds for some sort of punitive employment / civil action if it wasn't a
requested feature by CBS/Showtime.

The fun part about the law is that the gray areas aren't all defined ahead of
time. Web visitors can sue or attempt to bring criminal charges and we get to
watch how it unfolds in the courts.

~~~
schwede
But when I go to a website I expect to get the content. I don't expect the
owner to use my computer for mining. That seems like unauthorized use to me.

~~~
thephyber
While I don't think that's actually how the law can be interpreted, it does
get at the central issue most computer users/researchers have with the law. It
allows different standards for what "unauthorized" means, hence it is very
elastic and can easily be abused, especially when combined with the plea
bargain process (@see Aaron Schwartz).

------
lewisl9029
If this becomes an open-source library that you can integrate into your app's
own JavaScript blob and obfuscate, it can become ridiculously difficult to
detect and distinguish from regular JavaScript processing in a sufficiently
complex web app, as long as the actual mining is throttled to a reasonably low
rate.

This seems like something that will inevitably be everywhere and displace some
use cases for advertising, and could possibly even replace it entirely
eventually. I personally see it as the lesser of two evils, as long as apps
don't try to run miners at full throttle and thereby provide a horrible user
experience, and instead operate it at say 95% idle and only when I'm actively
using the app. Although in practice I realize this is almost impossible to
identify and enforce.

I'd much rather offer some limited amount of compute on my devices to support
content creation on the web and than to offer my privacy and be subjected to
subliminal mind tricks 24/7 as I'm forced to in the status quo.

~~~
shawabawa3
I haven't done the maths, but I imagine even at full throttle it gives much
less returns than advertising

~~~
jdmichal
I just did the math for my machine, because why not...

I was getting 35 hashes a second on my stock i5 2500K [0] with four threads.
This was enough to get my fans revving up more than any game I ever play. For
that rate, it works out to ~0.0018 USD per hour, using their 47 USD rate for
the .5 XMR minimum payout.

[0] [https://ark.intel.com/products/52210/Intel-
Core-i5-2500K-Pro...](https://ark.intel.com/products/52210/Intel-
Core-i5-2500K-Processor-6M-Cache-up-to-3_70-GHz)

------
niklabh
It's just some developer who injects coin-hive code on the website he manages
hoping to make a quick buck. Executives will never direct to mine from user
considering the incredible low ROI. And the dev is HN reader as the coin-hive
post was on top some days ago.

------
Animats
So where are the arrests under the Computer Fraud and Abuse Act?

~~~
Tepix
By visiting a web page with JavaScript enabled, don't you consent to running
the code they send you? If so, there is no crime.

By the way it appears we need a (configurable) CPU/GPU cycle limit for
JavaScript code in browsers now...

~~~
detaro
By downloading an executable and starting it, don't you consent to it running
on your computer? Despite this, distributing malware is illegal in most cases.

~~~
pricechild
Use the EU cookie directive as an example of why that world view isn't quite
correct.

Even before it, most browsers had optional methods of blocking cookies...

------
ramzyo
For those like me who interpreted the title to mean that CBS/Showtime had
deliberately inserted the crypto-mining code themselves and been caught red-
handed doing it: nobody knows who actually did it. The author hypothesizes
that it was some malicious actor who got access to Showtime's code base,
although this hypothesis is based on the author's surmising that it would be
extremely unlikely for CBS to do this deliberately.

------
jlebrech
If I made a cookie-clicker type app and let users know that (mining) was how I
made money I doubt there would be anything illegal about it.

------
AnIdiotOnTheNet
The economics of in-browser mining as an alternative to ads is stupid.
Everyone would be better off if the user just payed a fraction of a cent per
page visit with a credit card. That such a convoluted an inefficient mechanism
is being seriously considered is a demonstration of how woefully ill-suited
our economic model is in the information age.

------
zitterbewegung
Is there a tool like an AdBlocker for crypto coin miners ? Or are they
recognized by AdBlockers ?

~~~
kbart
You can always block JS from known sources that do this (use NoScript or
similar), though I don't know any automatic way yet.

------
slezyr
Is it intentional?

3 quite big ukrainian web sites were found to use same script.

[https://www.facebook.com/evg.bell/posts/1629626063766125](https://www.facebook.com/evg.bell/posts/1629626063766125)

------
dbcooper
uBlock Origin added some filters for miner scripts:

[https://github.com/uBlockOrigin/uAssets/issues/690](https://github.com/uBlockOrigin/uAssets/issues/690)

------
hohenheim
The important bit is at the end of the article:

"Meanwhile, ad blocking tools are now killing the JavaScript on sight."

The irony though, replace adds with JS mining crypto currency. And guess who
is blocking them...

------
s17tnet
They discovered same thing on thepiratebay days ago. Probably they are
uncovering a possible alternative to the banner based web economy.

------
personjerry
Is this illegal? (Like should they arrest whomever put that code in?)

------
foota
Catch my ICO for VidCoin now while supplies last!

~~~
xrjn
Do you have a white paper?

------
hrasyid
if running ads is acceptable, why is this bad?

~~~
Lev1a
Does running ads multiply your electricity costs (run your battery dry) and/or
burn up your CPU? No.

Does cryptocurrency mining do that? Yes.

Do you see the difference now?

~~~
reinhardt1053
Running ads also dry your battery.

~~~
Lev1a
Do ads make your CPU run at 100% load? Most likely not. Yet mining scripts
will do just that.

~~~
hrasyid
Does that mean a mining script that throttles its resource usage would be
acceptable?

~~~
Lev1a
No, they're still using your computational resources without your (informed)
consent for their own (financial) gain.

------
xRahul
So, I've heard it happening to thepiratebay before this. Does this mean
someone at CBS uses pirate bay and got the idea?

~~~
CoryG89
I think it's fairly certain that _someone_ at CBS uses pirate bay. Though I
doubt that is the source of inspiration for this.

