
Who and what is Coinhive? - andimm
https://krebsonsecurity.com/2018/03/who-and-what-is-coinhive/
======
lost_my_pwd
_" But according to Troy Mursch, a security expert who spends much of his time
tracking Coinhive and other instances of “cryptojacking,” killing the key
doesn’t do anything to stop Coinhive’s code from continuing to mine Monero on
a hacked site. Once a key is invalidated, Mursch said, Coinhive keeps 100
percent of the cryptocurrency mined by sites tied to that account from then
on."_

This is where I think Coinhive ethically crosses the line; perhaps legally,
too. The mining scripts should stop when contacting Coinhive and determining
that the specified key/ID has been disabled due to complaints or fraud.

~~~
mtve
Just to continue the quote from the article:

 _Reached for comment about this apparent conflict of interest, Coinhive
replied with a highly technical response, claiming the organization is working
on a fix to correct that conflict.

“We have developed Coinhive under the assumption that site keys are
immutable,” Coinhive wrote in an email to KrebsOnSecurity. “This is evident by
the fact that a site key can not be deleted by a user. This assumption greatly
simplified our initial development. We can cache site keys on our WebSocket
servers instead of reloading them from the database for every new client.
We’re working on a mechanism [to] propagate the invalidation of a key to our
WebSocket servers.”_

~~~
calibas
Meaning they'll "fix" it when they're forced to, but in the meantime they'll
make a nice profit off the "broken" code.

------
hopfog
When Coinhive was released I was really intrigued and imagined a lot of cool
way of doing micropayments. I even built a multiplayer game where you had to
mine in order to get in-game credits (you can find the URL in my comment
history), which was fairly well received by the players.

It was a proof-of-concept and when I saw that it worked I started building a
proper version of it. However, soon thereafter rogue actors started using
Coinhive for malicious things and I'm now at a point where I don't feel like
continuing on the game. I still think it's a cool concept and my game is very
clearly opt-in where I explain what will happen when you press "Start mining".

It feels like "this is why we can't have nice things" is applicable here.

~~~
tmpmov
You may find it less palatable, but I could totally see the 'free to play'
games going down the road of cryptocurrency mining.

As your project did before, you could tie the mining with in game currency. If
the underlying block chain is actively traded you could even scale the game
currency with real currency in some way... 0.0001 cent is a gold coin for
example. Payment that way would seem fairly above board, especially if you
clearly tell the player about the taxing system -- this could then be your
funding.

~~~
piracy1
I think most people would even prefer that to ads, I'd much rather have you
utilize 30% of my CPU for a while than make me watch an ad.

~~~
berkes
On mobile that is bit more difficult. But even there: I'd rather have my
battery drained by a clear, transparant miner than through spying and data-
mining ads.

Though, in reality, I'd rather not have my battery drained at all; so I'd
disable this when not plugged in. Or for desktop only.

------
TravelTechGuy
_”For roughly a week in January, Coinhive was found hidden inside of YouTube
advertisements (via Google’s DoubleClick platform)”_.

I’m shocked, and very surprised to hear that malware code is disseminated
through innocent ads put out there by a user-loving, “do no evil” company. /s

Now, can we please finally conclude that an ad blocker in your browser is
mandatory?

~~~
bronson
Sure! Do no evil, right?

[https://www.theverge.com/2018/2/14/17011266/google-chrome-
ad...](https://www.theverge.com/2018/2/14/17011266/google-chrome-ad-blocker-
features)

------
ballenf
Has anyone found attempts to deobfuscate the coinhive source code? Maybe my
google-fu needs improvement...

I found a github page that provides a proxy to the coinhive allowing the user
to keep 100% of the profit, but it doesn't even link to the coinhive code that
I could see. ([https://github.com/cazala/coin-hive-
stratum](https://github.com/cazala/coin-hive-stratum))

Also found this, [https://jonathanmh.com/testing-coin-hive-crowd-source-
monero...](https://jonathanmh.com/testing-coin-hive-crowd-source-monero-
mining/). Interesting but no source code.

~~~
hopfog
The actual miner is using WebAssembly so I don't know if it's even possible to
deobfuscate in a sensible manner.

~~~
berkes
I've tried to reverse engineer it, but failed. The best place to start, IMO,
is the communication between client-server over a websocket. It is binary, but
shows some interesting data and keys as in key-names, from key-value, not
crypto-keys).

My idea was to make an API-rate limiter, where a client has to submit a list
of calculated hashes (PoW) with each request and so protect the API against
bots, scrapers and other (D)DoS attacks. Bad idea, because the data that has
to be transfered (in Headers) is going to huge, megabytes, if you want to make
even a few cents on a million-hits-per-day API.

------
spectaclepiece
Found Dr. Matthias Moench to be the real gem in this story. Here is the
translated version of the Die Welt article:

[https://translate.googleusercontent.com/translate_c?depth=1&...](https://translate.googleusercontent.com/translate_c?depth=1&hl=en&nv=1&rurl=translate.google.com&sl=auto&sp=nmt4&tl=en&u=https://www.welt.de/wirtschaft/article135077209/Viagra-
ist-fuer-Gangster-heute-lukrativer-als-
Kokain.html&xid=25657,15700022,15700043,15700105,15700124,15700126,15700149,15700168,15700186,15700201&usg=ALkJrhj30tQD5O_BVoUt00qDsfxMLHZhPg)

------
pietroglyph
It's unfortunate that Coinhive has given this type of monetization a bad
reputation; at least their shady practices make it that much easier for a
competitor to enter this space. I hope that someone can come along with a
transparent mining script that has an expidient abuse resolution process, and
no tracking. Hopefully that's enough to overcome the stigma now associated
with this type of monetization. I would certainly prefer that to regular ads.

~~~
banachtarski
You'd prefer lower battery life and worsened browser performance?

~~~
Psilidae
That's also a description of ads.

~~~
banachtarski
I think solving hashes ad nauseum while the page is loaded (and beyond due to
service workers) is _well_ beyond a typical ad in terms of resource
consumption.

------
realPubkey
The pr0gramm.com-admins spend the whole day banning users that upload
screenshots of this article to the platform.

~~~
lawl
I mean, doxxing Gamb wasn't really necessary, he was always very paranoid
about being doxxed, and users of the site know what happened to cha0s when he
was doxxed. So i understand that they want to think a bit about how to handle
this situation.

I've complained about krebs being an asshole before on HN and this pretty much
confirms it.

What exactly did doxxing people contribute to this story?

Edit: This might actually be the final straw that breaks the camels back and
pr0gramm will go down.

So thanks for that, Krebs. I wonder if Brian knows that Krebs means cancer in
german. It's somehow fitting.

~~~
lawl
Can't edit anymore, but:

Yup, I pretty much predicted Gambs official statement.

They really don't like the doxxing. They posted an official statement and
asked nicely to not post their private info on the website as everyone can
google it now. And if shit get's out of hand with their private data in the
public now they'll shut down the website.

Edit: Oh, they also said they've never banned anyone for posting the
screenshot but asked them nicely to wait for the statement.

~~~
uhmwhat
Private information? If it was so private, how was Krabs able to get it all
off of domains they registered? Answer: It was never private, and just nobody
bothered to connect the dots before now.

~~~
gant
Just because Denic doesn't allow private domain registrations doesn't mean
you're supposed to go after people and dump their personal info into your
popular blog. Large parts of the information was historical data persisted by
third parties that'd be hard to expunge. There's a good reason for pr0gramm
admins to want to remain anonymous - cha0s initially quit the site because he
received an 80kg steel oven as sort of a threat. The post includes names and
contact information of volunteer moderators that weren't even part of their
company.

But Brian Krebs' private information - which is definitely out there - is to
be kept out of public view? I'm sure he'd pursue legal action if I put that on
my blog with some half-baked accusations

It's wrong, plain and simple, which is why pr0gramm moderators have been
removing posts with both their own private information and krebs'.

------
TaylorGood
Why is Coinhive seemingly the sole option for this tool? If it's just code,
what is to stop a different group of devs to replicate the process?

~~~
astrodust
People are lazy.

------
hippich
Just a heads up - we, Hashcash.io, working on V2 of our product which will
incorporate some bits discussed here: mining and currency and micropayments
with new blockchain and PoW approach. We applied to YC18 summer batch, but
either way we are going to launch it, it will just depend how soon.

If you are interested - leave an email on website :)

------
usernam33
Here is a followup post to the article.
[https://news.ycombinator.com/item?id=16696865](https://news.ycombinator.com/item?id=16696865)

