Google Tag Manager is a serious game-changer that provides the kind of competitive edge our clients need.
- Caleb Whitmore, Founder & Chairman, Analytics Pros
You want to let Marketing add script tags on the fly? Are you fucking insane?
- Anonymous Developer
An unexpected side benefit was being able to demonstrate side by side the effect that 200 extra scripts were having on pageload times.
And getting to the data, getting meaningful information from all that information the analytics team was hoarding was a huge pain. They were like "No throw, only take!" (https://i.imgur.com/q46L4QH.jpg)
The discrepancy between the care taken about deployment strategies and these regular issues always bothered me, but eventually things became more consistent. That is, our deployment strategy became haphazard and gung-ho too!
I had a similar request for Google Tags and I explained my concerns to my CTO and voila, no Google Tags that didn't come through us.
Low pressure, many resources (money) => Review/Implement all Google Tags changes
High pressure, low resources (money) => Marketing can do their own thing to reduce pressure on the development team.
HM and LL are somewhere in between.
Classic trade off like most of the things in software development.
"Marketing can do their own thing" makes for more work and pressure on the development team. "Why doesn't this work in production?" "Why is this slow in production?"
Nobody gets to skip CI, or work without coordination.
"Why doesn't this work in production?" -> "Because Marketing screwed up, look at this dashboard screenshot"
"Why is this slow in production?" -> "Because Marketing screwed up, look at this dashboard screenshot"
After some time
"Marketing can't handle this technical stuff [....]" -> "We can take over, we need 3 more people for that"
"We don't have the money" -> "Then we will not release Mega-feature-X".
They didn't put anything through the third-party. It's commented as NewRelic, but anyone even glancing at the link would notice this is completely wrong.
As you might appreciate the "loop-hole", I'm sure there are many developers whom hate it because they have to fix your "fix" in the future.
https://www.youtube.com/watch?v=CiqioE1zGCw talks about this
Why is the overwhelming majority of networked software still not secure, despite all effort to the contrary? Why is it almost certain to get exploited so long as attackers can craft its inputs? Why is it the case that no amount of effort seems enough to fix software that must speak certain protocols?
The answer to these questions is that for many protocols and services currently in use on the Internet, the problem of recognizing and validating their "good", expected inputs from bad ones is either not well-posed or is undecidable (i.e., no algorithm can exist to solve it in the general case), which means that their implementations cannot even be comprehensively tested, let alone automatically checked for weaknesses or correctness. The designers' desire for more functionality has made these protocols effectively unsecurable.
In this talk we'll draw a direct connection between this ubiquitous insecurity and basic computer science concepts of Turing completeness and theory of languages. We will show how well-meant protocol designs are doomed to their implementations becoming clusters of 0day, and will show where to look for these 0day. We will also discuss simple principles of how to avoid designing such protocols.
EDIT: Sandstorm was looking to fix user permissions for individual programs on computers (they went defunct/bankrupt/no-longer-developing last I heard).
This is a super naive view of the world.
Nowadays most hacking incidents are based on social engineering, meaning it's not the technology that's weak, it's humans who are the least secure. Yes that includes you and me.
So NO, your solution won't fix anything. Believing that a technical solution can fix everything is the most dangerous thing because in reality it will never be safe but you just have a false sense of safety, which is how most hacks happen--most hacks are carried out by taking advantage of this mentality that everything is safe enough, which in reality isn't.
You will probably believe that the system you designed is super safe because it only lets people do what they said they wanted to do, but as I said, most hacking incidents are social engineering, so someone will definitely take advantage of this and attack you where you least expect it.
The video is arguing: why should a doorbell have the ability to set your house on fire? (Metaphorically).
Heartbleed was an issue of exactly this
"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software"
Architecturally, this should never have been possible.
Obviously attackers are going to look for the weakest point, but your agument sounds like "social engineering should happen, so don't bother locking your doors at all".
The only thing I was criticizing was you seem to think it's easy to simply create a secure system. It's not. That's why there are tons of smart people in security but hacks still happen.
I'm still developing, just not full-time.
This is a step in the right direction and does satisfy the 2 basic requirements I listed for more security, thanks for sharing!
uBlock works on Firefox too. Can't get more open shots than that.
There is a learning curve, but it's fine once you get up to speed. It's a bit like NoScript, but on steroids.
Sounds like you want the next-gen version of what https://en.wikipedia.org/wiki/Project_Xanadu was supposed to be. Unfortunately while you were discussing the above with like-minded peers other people were shipping things that users (not designers, users) want. The latter always trumps the former.
I agree with you philosophically - how could you not - but how do you have your cake and eat it, too, in this regard? Xanadu was impossible enough, and expecting to have all its trappings with the best parts of TimBL seems like the recipe for a classic Borges tragicomic short story.
2) Just use NoScript if you’re that paranoid.
That's interesting, but I'm not sure it's relevant here because downloading and executing arbitrary code without understanding what it does is a fundamentally insecure thing to do.
Unfortunately, the same technology is used by Facebook, Google, etc. to track people around the internet, so it's unlikely to get "fixed" any time soon.
The langsec approach of using formal recognizers that validate the validity of input before processing it in any way (stop creating weird machines!), and designing network protocols that are actually decidable without solving the halting problem (network input must be no more complex than deterministic context-free) should be considered the bare minimum for all network-associated software. It won't solve all security problems, but we should at least be handling the problems we know how to solve. Anything less should be considered severely unprofessional, and at least civilly negligent.
> The web seriously sucks.
Dan Geer discussed his terrifying visions of the future in a recent keynote. The suck extends far beyond the web; "Cybersecurity and the future of humanity are conjoined". He gives many examples that demonstrate just how bad the suck is, and how ill-prepared the world is for these looming problems - at any level of society.
> The cumulative effect of the curves for computing, storage, and bandwidth is this: in 1986 you could fill the world's total storage using the world's total bandwidth in two days. Today, it would probably take nine months of the world's total bandwidth to fill the world's total storage, but because of replication, synchronization, and sensor-driven autonomy, it is no longer really possible to know how much data there is. Decision making that depends or depended on knowing how
much data there is is over.
What is the solution?
> To be deadly serious about cybersecurity requires that --EITHER-- we damp down the rate of change, slowing it enough to give prediction operational validity --OR-- we purposely increase unpredictability so that the opposition's targeting exercise grows too hard for them to do. In the former, we give up many and various sorts of progress. In the latter, we give up many and various sorts of freedom as it would be the machines then in charge, not us. Either way, the conjoining is irreversible.
I'm wondering how bad this will get before the masses declare a Butlerian Jihad. I personally know a handful of people that already use a revolt against technology as their primary political belief.
Or maybe I am not doing this right.
Even coinhive admit that you can't use this to make real money.
At this point, we (Coinhive) have paid out 992 XMR (about $89.000) to our users. We started this service 11 days ago.
And the cost to the society is few cents of electricity minus fraction of a cent the site gets, paid in fuel being wasted on producing that electricity.
Crypto mining is a disaster. If I were an evil mastermind who wanted to deepen the energy and climate problems of the world, cryptocurrencies is what I would push for.
Advertising today is mostly a zero-sum game, where all the effort you put into it goes to offset the equivalent effort your competitor puts into it. Thus it forms a feedback loop of ever increasing waste.
Still, this topic is not relevant to discussion about merits of cryptocurrencies.
You mean just like ads do? Of course, in a perfect world we wouldn't have either, but I just don't see clear distinction between mining in browser or ads or other useless/annoying things (from the user perspective).
One of those disincentivizes waste (howewer weakly). The other incentivizes it.
> playing computer games, watching mindless YouTube videos, scrolling Facebook, leaving devices on when not used, lighting places 24/7 where nobody goes at night anyway etc.?
We do. But all those examples are the case where energy use gives us something (fun, convenience) and where the waste is bounded (there're only so many devices I can leave powered, and also I have to pay for the power they use). Crypto mining literally pays you for wasting power, so the more electricity you can burn, the more money you get. And the more people join in, the more you have to burn to keep up. So there's almost no ceiling to how much personally you get to waste, and a strong incentive to waste as much as you can.
And what's all of that for? To replace a system that works fine and does not have a greed-powered feedback loop of waste? That's just dumb.
 - Currently. Hopefully they'll always stay that way, but there's an off chance this becomes so popular that all new computers will come equipped with additional hardware and drivers to mine crypto for micropayments.
Well, you (or somebody else) still has to pay for power consumption used for mining, so it just converts money you pay for energy bill to micropayments (though in very unfavorable rate as of yet). Don't get me wrong, I don't advocate such shady behavior in any way, just wanted to point out that this "wasted power" point is a bit of a stretch.
Or put differently, cryptocurrencies are trying to replace a system that's O(log n) with respect to energy with a system that's O(n^2), for questionable and mostly imaginary benefit of trustless payments.
For a regular computer plugged-in to a real electricity network, maybe. For a person on battery, or trying to charge their device before going out, or on a limited power supply (e.g. small home battery supplied by solar panel, or a car charger), it's more than that.
If this becomes mainstream the overall difficulty of the cryptocurrency they're mining will raise making it less rewarding.
In other words you have a "micropayment" method where you can't really fix the price unless you're willing to force the user to mine for a certain amount of time before they can access the content. All I see is a good way to waste energy.
Mining from a random browser will almost certainly never be cost effective for the user, you're better off buying or renting dedicated hardware, mine on it and use the reward to pay for microtransactions.
The Coinhive Monero miner is about 65% as fast as a native miner would be, at least in Browsers that support WASM.
Disclaimer: I wrote the Coinhive Monero miner.
Maybe Intel will throw it on their chips as a processor extension.
At US electricity prices.
At German electricity prices of 0.40$ per kWh, this is costing you a magnitude more than the site even gets.
This article by Jakob Nielsen already called for them 20 years ago and if you read it today, it doesn't look like we moved a bit considering ads on websites.
The payment overhead with traditional payment options is just to big. Paypal has 30 cents per transactions IIRC? Way too much if you just want to proces a few cents or even a fraction of a cent. Systems like Flattr or Kachingle solve this in another interesting way but it's still not ideal.
Crypto currencies would solve nicely this problem but of course, there needs to be easier ways of getting them and paying with them. I have no doubts that the latter will come quickly (see also the new Payment Request API). The former, we'll have to see. But I'm optimistic and would be surprised if we didn't have that within 5 years.
A crypto currency backed by a real world currency would of course be best as you don't have an issue with volatility but you have to live with some volatility anyway, if you don't restrict yourself from buying from places that use the same currency as you.
Anonymity is obviously not a problem for most people as you can see by all those people that use Paypal and credit cards. For those people even the level of pseudonymity that Bitcoin offers would actually be an improvement.
Replaces? Like they'll ever give those up...
I let you stream content for free and you let me mine cryto-coins with your spare CPU cycles while you watch. Isn't that better for people who don't like all the tracking by ads?
Without that, I think people are unlikely to be sympathetic and they'll be snagged by ad blockers rapidly: consent is the cornerstone of products people like.
Or maybe search rankings will be affected by CPU usage, and bandwidth.
I was thinking the same thing the other day when I first heard about it. One of the main issues with existing subscription models is that some people only want to consume a small fraction of what is available from a service provider (news, music, video etc) yet have to pay a not-insignificant fee for access to everything. A good example would be the latest Star Trek series only being available in the US via CBS All Access (thankful that I'm in a country where it'll be available on Netflix).
If I could lease out my CPU for a real-time exchange of services, that'd suit me just fine. I already have accounts with an energy provider and ISP, so it's one fewer monetary relationship I need to worry about.
You could be asked on a per view basis, so by default all sites are blocked and need to ask for the exchange to be approved. You could also white-list trusted sites, or for a set period approve all requests not unlike a software firewall e.g. Little Snitch paired with an ad-blocker.
This is something the W3C should standardise at the browser level so it's not inefficient and works across different browsers effectively. It could potentially save journalism and other business models that don't jive well with existing subscription/payment structures.
It's like driving for uber where in the end you pay more for repairs than you would in salary.
edit: And CBS most likely never ordained the mining to begin with.
I see it alongside ads.
Also, I question whether it's a sensible use of electricity on the whole.
I'm more worried about the precedent, "informed consent" can always be buried deep in a T&C document.
Downloading the 1080p torrent off TPB.
A single computer earns pennies, a couple hundred thousand earn way more.
Personally, I don't mind it so long as it is both fully disclosed and the ramifications fully explained - both in an accessible manner to a layperson. So long as they do that, I'm okay with it. I'm more okay with it if they give the user a simple means to opt out in a meaningful fashion.
Now, chances are exactly none of those conditions will be met in the real world. But, in principle, I am okay with it.
> "Upon reviewing our products and code, the HTML comments shown in the screenshot that are referencing newrelic were not injected by New Relic's agents. It appears they were added to the website by its developers."
> [Coin Hive] did confirm to us, however, that the email address used to set up the account was a personal one, and was not an official CBS email address, further suggesting malicious activity.
Furthermore you can't even fix the price of the payment since you're at the mercy of the hash difficulty and the cryptocurrency value. Doesn't seem like a very good business model to me.
"Spare CPU cycles" were only a thing back in the 90's, when CPUs ran at a fixed frequency, and it didn't make much difference whether it was running useful code or waiting in the idle loop. Nowadays, the frequency and voltage vary depending on whether the CPU is being used or not, so instead of "spare cycles" doing nothing the CPU powers itself down.
Then again, that seems like one of the fastest ways to make the average citizen actually angry at the Great Firewall.
Can't wait for this to show up as a plot device for Mr. Robot or something.
- Hacker H hacks site, injects cryptomining script
- Because H doesn't want other hackers to do the same, he will make the site secure and thereby kind of "maintain" it (in a security sense)
- Because H doesn't want the site to slow down endlessly, he will use cryptomining "as much as possible" while still keeping the site sufficiently responsive (otherwise traffic would go down and net income would decrease in the long run)
End result: a kind of a symbiotic relationship between a gray hat hacker and a standard web content provider.
But it could make an entertaining short story, with H eventually sitting in meetings with everybody not realizing that nobody hired him, H himself slowly forgetting that, an intermediate crisis when H's position is threatened after a merger and a dramatic finale when all is revealed after H is chosen as the next CEO.
While your plan makes sense, I can see a future where there are two big gray-market parties left that use the equipment under their control to attack the other party, and not mine crypto...
https://github.com/jakeogh/glide (dont use the recent commits)
I don't see any problem with crypto-miners on pages for revenue though. They're no more resource stealing or annoying that the typical JS 'web app' that pass for websites these days.
Without an authentication bypass, I don't think the CFAA applies (last I perused it).
The end user probably doesn't have standing under CFAA unless the website's ToS suggested they would not act this way. If you, as a web visitor, visit a website you are largely at the mercy of whatever plugins they load onto your browser during that session. In exchange for access to the content on the site, the website owner can steal your data (tracking + analytics), your bandwidth (autoplay advertising videos), and the processing resources associated with loading a webpage (or whatever else you can do in a webpage).
The website's owner might be able to bring a case against the person who injected it, perhaps (depending on who it was and who authorized it). The infraction may not be "breaking into" a computer as the CFAA requires if it was a CBS/Showtime employee/contractor who did it. It is almost certainly grounds for some sort of punitive employment / civil action if it wasn't a requested feature by CBS/Showtime.
The fun part about the law is that the gray areas aren't all defined ahead of time. Web visitors can sue or attempt to bring criminal charges and we get to watch how it unfolds in the courts.
This seems like something that will inevitably be everywhere and displace some use cases for advertising, and could possibly even replace it entirely eventually. I personally see it as the lesser of two evils, as long as apps don't try to run miners at full throttle and thereby provide a horrible user experience, and instead operate it at say 95% idle and only when I'm actively using the app. Although in practice I realize this is almost impossible to identify and enforce.
I'd much rather offer some limited amount of compute on my devices to support content creation on the web and than to offer my privacy and be subjected to subliminal mind tricks 24/7 as I'm forced to in the status quo.
I was getting 35 hashes a second on my stock i5 2500K  with four threads. This was enough to get my fans revving up more than any game I ever play. For that rate, it works out to ~0.0018 USD per hour, using their 47 USD rate for the .5 XMR minimum payout.
knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
Even before it, most browsers had optional methods of blocking cookies...
3 quite big ukrainian web sites were found to use same script.
The irony though, replace adds with JS mining crypto currency. And guess who is blocking them...
Does cryptocurrency mining do that?
Do you see the difference now?