Hacker News new | past | comments | ask | show | jobs | submit login
CBS's Showtime caught mining crypto-coins in viewers' web browsers (theregister.com)
375 points by quigglebotts on Sept 25, 2017 | hide | past | web | favorite | 213 comments

I bet some clever person on the marketing team just went ahead and inserted the tag. My first experience on a large corporate dev team was eye-opening. While the core product code was version controlled and reviewed, the marketing team had the power to insert any kind of scripts onto the page without clearance. In theory, anything new on the page would require many ridiculous meetings. In practice, they could and did put in whatever through a third-party like New Relic.

Google Tag Manager! So flexible, so innovative!

Google Tag Manager is a serious game-changer that provides the kind of competitive edge our clients need.

- Caleb Whitmore, Founder & Chairman, Analytics Pros

You want to let Marketing add script tags on the fly? Are you fucking insane?

- Anonymous Developer

That's the one :)

Tealium was my worst enemy at a previous job. 5 different departments had access to dump whatever garbage scripts they wanted on the website with no auditing by devs to make sure it wouldn't break things. I eventually put in a feature flag to nuke everything from Tealium to help us debug problems because so many were caused by rogue scripts.

An unexpected side benefit was being able to demonstrate side by side the effect that 200 extra scripts were having on pageload times.

So this is why "modern" websites take 30 seconds to load!

Can confirm. We had a single-page app that, on navigation, did just one request (REST API call to fetch data), and 15 others for analytics. They fetched JS from the tag manager, which in turn included GA's analytics.js (again, it was a memory leak so if you used the app long enough you'd end up with dozens if not hundreds of lines of analytics.js including script tags), etc.

And getting to the data, getting meaningful information from all that information the analytics team was hoarding was a huge pain. They were like "No throw, only take!" (https://i.imgur.com/q46L4QH.jpg)

Ha, that gives me flashbacks! I worked in a similar environment where more than once the production site(s) (multi-country deployment, big brand) would show a blank screen because some ad script did a "document.write". Or some hastily-added external dependency would stop working and render the site unusable.

The discrepancy between the care taken about deployment strategies and these regular issues always bothered me, but eventually things became more consistent. That is, our deployment strategy became haphazard and gung-ho too!

We iframed all the ads after a few of them f###ed with our website. It's not needed if you work with AdSense, but we had multiple vendors and private deals, custom ads of all kinds.

Then your code wasn't version controlled and reviewed.

I had a similar request for Google Tags and I explained my concerns to my CTO and voila, no Google Tags that didn't come through us.

It depends on the market pressure and resources you have.

Low pressure, many resources (money) => Review/Implement all Google Tags changes

High pressure, low resources (money) => Marketing can do their own thing to reduce pressure on the development team.

HM and LL are somewhere in between.

Classic trade off like most of the things in software development.

> High pressure, low resources (money) => Marketing can do their own thing to reduce pressure on the development team.

"Marketing can do their own thing" makes for more work and pressure on the development team. "Why doesn't this work in production?" "Why is this slow in production?"

Nobody gets to skip CI, or work without coordination.

You're experiences differ from mine.

"Why doesn't this work in production?" -> "Because Marketing screwed up, look at this dashboard screenshot"

"Why is this slow in production?" -> "Because Marketing screwed up, look at this dashboard screenshot"

After some time

"Marketing can't handle this technical stuff [....]" -> "We can take over, we need 3 more people for that"

"We don't have the money" -> "Then we will not release Mega-feature-X".

The kicker for me is that they expect you to act like they're doing you a favor and reducing your workload. Sorry, your next release is delayed because your previous attempt at "helping" is screwing things up.

In theory, theory and practice are the same. In practice, they are not.

> they could and did put in whatever through a third-party like New Relic.

They didn't put anything through the third-party. It's commented as NewRelic, but anyone even glancing at the link would notice this is completely wrong.

I wasn't suggesting that New Relic is to blame. I was suggesting that New Relic allowed somebody to put arbitrary script tags onto the page. It's more likely that Google Tag Manager allowed this and possible that New Relic doesn't allow this sort of thing.

As a marketer and coder, I appreciate those loopholes to make sh*t work (I used to do it all of the time, and was pretty much the basis I was hired on at my previous job) :) although I would concede giving anyone the option if they don't have tech experience is a nightmare waiting to happen.

"To make shit work", that is where the devil is. In the same line as, "how hard could it be". Having a tunnel vision to get something fixed right now with no regards to what will happen in the future. How the code will be maintained. Who will maintain it, and such.

As you might appreciate the "loop-hole", I'm sure there are many developers whom hate it because they have to fix your "fix" in the future.

You bring up an interesting tangent that I'll speak to. As a marketer who needs to get things done, I feel you. At this organization, this was in the general interest of all of the middle managers as well. This encouraged more and more off the shelf "solutions" to be jammed in, and misorganization of the core team development. I was a contractor here, and the core code base was crammed with bandage quick fixes to the point where it was actually suggested to use Google tag manager to to change code on the fly for other third-party scripts.

NewRelic doesn’t let you add random JS, it only injects their browser monitoring script. Don’t spread fake news.

What are you trying to show? The page describes either manually copying NR's snippet, or injecting it via an agent. But it's always going to point at the newrelic server.

The web seriously sucks. One thing I admire, at least in theory, about Xbox 360 games or iOS apps is the limited access a specific program can run.

https://www.youtube.com/watch?v=CiqioE1zGCw talks about this

Why is the overwhelming majority of networked software still not secure, despite all effort to the contrary? Why is it almost certain to get exploited so long as attackers can craft its inputs? Why is it the case that no amount of effort seems enough to fix software that must speak certain protocols?

The answer to these questions is that for many protocols and services currently in use on the Internet, the problem of recognizing and validating their "good", expected inputs from bad ones is either not well-posed or is undecidable (i.e., no algorithm can exist to solve it in the general case), which means that their implementations cannot even be comprehensively tested, let alone automatically checked for weaknesses or correctness. The designers' desire for more functionality has made these protocols effectively unsecurable.

In this talk we'll draw a direct connection between this ubiquitous insecurity and basic computer science concepts of Turing completeness and theory of languages. We will show how well-meant protocol designs are doomed to their implementations becoming clusters of 0day, and will show where to look for these 0day. We will also discuss simple principles of how to avoid designing such protocols.

EDIT: Sandstorm was looking to fix user permissions for individual programs on computers (they went defunct/bankrupt/no-longer-developing last I heard).

What I'm looking for is a user-facing, user-friendly structure that A) Does only what the user wants to do eg. load site B) Explicitly does NOTHING else eg run javascripts for cryptocurrency.

How could this work? Maybe your SecureBrowser*tm would only run Javascripts that have their hashes, and the hash of all the simultaneous Javascripts running on that page, approved by a network. Your client frequently checks this blockchain (why not) to download the latest approved scripts.

> Why is the overwhelming majority of networked software still not secure, despite all effort to the contrary? Why is it almost certain to get exploited so long as attackers can craft its inputs? Why is it the case that no amount of effort seems enough to fix software that must speak certain protocols?

This is a super naive view of the world.

Nowadays most hacking incidents are based on social engineering, meaning it's not the technology that's weak, it's humans who are the least secure. Yes that includes you and me.

So NO, your solution won't fix anything. Believing that a technical solution can fix everything is the most dangerous thing because in reality it will never be safe but you just have a false sense of safety, which is how most hacks happen--most hacks are carried out by taking advantage of this mentality that everything is safe enough, which in reality isn't.

You will probably believe that the system you designed is super safe because it only lets people do what they said they wanted to do, but as I said, most hacking incidents are social engineering, so someone will definitely take advantage of this and attack you where you least expect it.

Social engineering is responsible for in part or entirety many hacks. I'm not arguing that technical solutions will "fix everything". Technical stability is on aspect of secure systems.

The video is arguing: why should a doorbell have the ability to set your house on fire? (Metaphorically).

Heartbleed was an issue of exactly this

"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software"

Architecturally, this should never have been possible.



Obviously attackers are going to look for the weakest point, but your agument sounds like "social engineering should happen, so don't bother locking your doors at all".

No i was only arguing it's not as easy as you think. Just like your solution you suggested can easily be hacked, any technological solution a human being comes up with is vulnerable to hacks.

The only thing I was criticizing was you seem to think it's easy to simply create a secure system. It's not. That's why there are tons of smart people in security but hacks still happen.

He's saying we know how to increase the energy needed to compromise a system, while spending less energy than would otherwise happen in the case of compromise. The harder a task is, the less often the task occurs.

Yes hacks still happen. See pharrington's response. I don't think it's easy to create a secure system. I'm in favor of making software more difficult to hack. I think the Heartbleed example speaks for itself.

> EDIT: Sandstorm was looking to fix user permissions for individual programs on computers (they went defunct/bankrupt/no-longer-developing last I heard).

I'm still developing, just not full-time.

I'm glad to hear this! Thank you for working on Sandstorm.

Nice job on that house you have there. Looks like you might even be able to play Warcraft 3 over LAN without spending the entire party trying to get it set up.

Edit: Though irrelevant to the thread, this is not intended to be backhanded. Check out the house. It's pretty cool.

> What I'm looking for is a user-facing, user-friendly structure that A) Does only what the user wants to do eg. load site B) Explicitly does NOTHING else eg run javascripts for cryptocurrency.


Wish there was open-source browser that did this, with SecureBrowser*tm concept in my above post to automate this.

This is a step in the right direction and does satisfy the 2 basic requirements I listed for more security, thanks for sharing!

> Wish there was open-source browser

uBlock works on Firefox too. Can't get more open shots than that.

https://www.ublock.org/ for anyone interested

The Web with a gatekeeper isn't the Web anymore. If you want a curated walled garden, App Stores are readily available and have tons of content.

When you get a spare half hour to figure it out well enough, add the uMatrix extension to your browser. It is like an old-school software firewall, except it is for your browser.

There is a learning curve, but it's fine once you get up to speed. It's a bit like NoScript, but on steroids.

Seconded! I find uMatrix terribly unintuitive, but once I figured it out it's my most crucial Chrome extension other than uBlock (and Hacker News Enhancement Suite, perhaps).

> In this talk we'll draw a direct connection between this ubiquitous insecurity and basic computer science concepts of Turing completeness and theory of languages. We will show how well-meant protocol designs are doomed to their implementations becoming clusters of 0day, and will show where to look for these 0day. We will also discuss simple principles of how to avoid designing such protocols.

Sounds like you want the next-gen version of what https://en.wikipedia.org/wiki/Project_Xanadu was supposed to be. Unfortunately while you were discussing the above with like-minded peers other people were shipping things that users (not designers, users) want. The latter always trumps the former.

I agree with you philosophically - how could you not - but how do you have your cake and eat it, too, in this regard? Xanadu was impossible enough, and expecting to have all its trappings with the best parts of TimBL seems like the recipe for a classic Borges tragicomic short story.

1) The system you’re describing wouldn’t have prevented this.

2) Just use NoScript if you’re that paranoid.

Why would it not have prevented this? If my browser only ran approved Javascripts, it wouldn't be mining coins.

> Why is the overwhelming majority of networked software still not secure, despite all effort to the contrary? Why is it almost certain to get exploited so long as attackers can craft its inputs? Why is it the case that no amount of effort seems enough to fix software that must speak certain protocols?

That's interesting, but I'm not sure it's relevant here because downloading and executing arbitrary code without understanding what it does is a fundamentally insecure thing to do.

Unfortunately, the same technology is used by Facebook, Google, etc. to track people around the internet, so it's unlikely to get "fixed" any time soon.

> "The Science of Insecurity"

The langsec approach of using formal recognizers that validate the validity of input before processing it in any way (stop creating weird machines!), and designing network protocols that are actually decidable without solving the halting problem (network input must be no more complex than deterministic context-free) should be considered the bare minimum for all network-associated software. It won't solve all security problems, but we should at least be handling the problems we know how to solve. Anything less should be considered severely unprofessional, and at least civilly negligent.

> The web seriously sucks.

Dan Geer discussed his terrifying visions of the future in a recent keynote[1][2]. The suck extends far beyond the web; "Cybersecurity and the future of humanity are conjoined". He gives many examples that demonstrate just how bad the suck is, and how ill-prepared the world is for these looming problems - at any level of society.

> The cumulative effect of the curves for computing, storage, and bandwidth is this: in 1986 you could fill the world's total storage using the world's total bandwidth in two days. Today, it would probably take nine months of the world's total bandwidth to fill the world's total storage, but because of replication, synchronization, and sensor-driven autonomy, it is no longer really possible to know how much data there is. Decision making that depends or depended on knowing how much data there is is over.

> The execution space on the web today is that the client is the server's server, its bondsman if not concubine. You intake Remote Procedure Calls (RPCs) from everywhere and everyone. You are supposed to believe that trust is transitive but that risk is not. That is what Javascript does.

What is the solution?

> To be deadly serious about cybersecurity requires that --EITHER-- we damp down the rate of change, slowing it enough to give prediction operational validity --OR-- we purposely increase unpredictability so that the opposition's targeting exercise grows too hard for them to do. In the former, we give up many and various sorts of progress. In the latter, we give up many and various sorts of freedom as it would be the machines then in charge, not us. Either way, the conjoining is irreversible.

I'm wondering how bad this will get before the masses declare a Butlerian Jihad. I personally know a handful of people that already use a revolt against technology as their primary political belief.

[1] https://www.youtube.com/watch?v=hcIiD4UUDE8

[2] http://geer.tinho.net/geer.rapid7.14ix17.txt

Correction: the URL for [2] should be http://geer.tinho.net/geer.source.27iv17.txt

Because C.

I’ve been running a miner via coin-hive.com. The earnings are ridiculously low. With 5 ad slots, I make around $6 RPM. With coin-hive/monero, it's not even equivalent to $0.5. Unless you are a website with the page open for hours and you have millions of views, this does not even make sense.

Or maybe I am not doing this right.

Yes this is what I calculated as well. Regular ads are still way more profitable - even if you somehow convince all your visitors to keep your page open 24/7.

Even coinhive admit that you can't use this to make real money.

If it's worth it depends on the site, your target audience and the ads you'd be allowed to show based on your content.

At this point, we (Coinhive) have paid out 992 XMR (about $89.000) to our users. We started this service 11 days ago.

$89.000 or $89,000?

This still doesn't clear things up (both "," and "." can be used as thousands and fractions separation symbol, depending on locale). A more international way is to use whitespace or nothing at all for thousands ($89 000 or $89000) and use "," or "." (depending on locale) for fractions only.

992 XMR is about $88000 ( https://coinmarketcap.com/currencies/monero/ ), so the 2nd one

Who says you have to do only one?

In the absence of an effective micropayment method, I could see this exchange of mining for content becoming main stream that replaces commercials. The cost to the viewer is ultimately a few cents of electricity, without the need for a bank account information, which the content producer indirectly turns into cash.

> The cost to the viewer is ultimately a few cents of electricity

And the cost to the society is few cents of electricity minus fraction of a cent the site gets, paid in fuel being wasted on producing that electricity.

Crypto mining is a disaster. If I were an evil mastermind who wanted to deepen the energy and climate problems of the world, cryptocurrencies is what I would push for.

What about the millions and millions of man hours that go into creating and distributing advertising? Surely that's also an enormous waste?

It is. And I speak out frequently against it.

Advertising today is mostly a zero-sum game, where all the effort you put into it goes to offset the equivalent effort your competitor puts into it. Thus it forms a feedback loop of ever increasing waste.

Still, this topic is not relevant to discussion about merits of cryptocurrencies.

Why do you think that minor cryptocurrencies mining operations are worse in regards of wasted fuel than playing computer games, watching mindless YouTube videos, scrolling Facebook, leaving devices on when not used, lighting places 24/7 where nobody goes at night anyway etc.? We, as society, waste an enormous amount of resources anyway, I don't see how mining in browser would even dent that. Sure, these mega cryptocurrency mining stations is totally different thing I'm not talking here about.

Mining in a browser is going to consume my battery and bandwidth and you shouldn't be surprised that people aren't happy about that.

"Mining in a browser is going to consume my battery and bandwidth"

You mean just like ads do? Of course, in a perfect world we wouldn't have either, but I just don't see clear distinction between mining in browser or ads or other useless/annoying things (from the user perspective).

In ads, waste of electricity is a bug. The more lean you can make them, the better (even if only because you can then put more of them). In cryptocurrencies, waste is a feature. The more power you burn, the more money you get.

One of those disincentivizes waste (howewer weakly). The other incentivizes it.

People are unhappy about the kind of ads that do that excessively too.

Cryptocurrencies in the browser are[0] irrelevant. But they're a part of larger ecosystem of cryptocurrency mining, and that ecosystem is a huge problem.

> playing computer games, watching mindless YouTube videos, scrolling Facebook, leaving devices on when not used, lighting places 24/7 where nobody goes at night anyway etc.?

We do. But all those examples are the case where energy use gives us something (fun, convenience) and where the waste is bounded (there're only so many devices I can leave powered, and also I have to pay for the power they use). Crypto mining literally pays you for wasting power, so the more electricity you can burn, the more money you get. And the more people join in, the more you have to burn to keep up. So there's almost no ceiling to how much personally you get to waste, and a strong incentive to waste as much as you can.

And what's all of that for? To replace a system that works fine and does not have a greed-powered feedback loop of waste? That's just dumb.


[0] - Currently. Hopefully they'll always stay that way, but there's an off chance this becomes so popular that all new computers will come equipped with additional hardware and drivers to mine crypto for micropayments.

"Crypto mining literally pays you for wasting power, so the more electricity you can burn, the more money you get."

Well, you (or somebody else) still has to pay for power consumption used for mining, so it just converts money you pay for energy bill to micropayments (though in very unfavorable rate as of yet). Don't get me wrong, I don't advocate such shady behavior in any way, just wanted to point out that this "wasted power" point is a bit of a stretch.

You pay less for the wasted power than you get in cryptocoins - otherwise you wouldn't mine at all. The delta is what cryptocurrency system pays you for wasting electricity.

Because you think fiat currencies have no associated energy consumption?

They do. But in management of fiat currencies, it's understood that energy expenditure is an upkeep that is to be reduced. In cryptocurrencies, on the other hand, energy use is a "feature" that's intended to grow over time.

Or put differently, cryptocurrencies are trying to replace a system that's O(log n) with respect to energy with a system that's O(n^2), for questionable and mostly imaginary benefit of trustless payments.

The cost to the viewer is ultimately a few cents of electricity

For a regular computer plugged-in to a real electricity network, maybe. For a person on battery, or trying to charge their device before going out, or on a limited power supply (e.g. small home battery supplied by solar panel, or a car charger), it's more than that.

The problem is that mining is effectively a zero-sum game (value of the underlying cryptocurrency notwithstanding). The more people mine the less each individual hash is worth.

If this becomes mainstream the overall difficulty of the cryptocurrency they're mining will raise making it less rewarding.

In other words you have a "micropayment" method where you can't really fix the price unless you're willing to force the user to mine for a certain amount of time before they can access the content. All I see is a good way to waste energy.

I’m no economist, but it seems like the millions of dollars of electricity that have gone into mining crypto currencies is transferred into the underlying value of the crypto currency. So if I know that it will take $100m of today’s money to mine crypto currency for the next year, then I would expect the total market cap of that crypto currency to rise by at least $100m with a premium for speculation and other supply demand issues. So in that sense the value of the mined currency should increase with the mining cost.

It's the other way around really, the value of the crypto dictates how much money you can spend mining it and still break even. Except then the difficulty will increase and even things out. Having more miners could increase the trust in the currency and increase its value but it's not directly correlated.

Mining from a random browser will almost certainly never be cost effective for the user, you're better off buying or renting dedicated hardware, mine on it and use the reward to pay for microtransactions.

But that is not the right question to answer. The right question is is the cost of mining crypto currencies in a browser more or less than the cost of dealing with advertising?

The problem is that mining through the browser is very inefficient. I don't have numbers but it'd probably cost an order of magnitude more, at least, to mine on the browser. And I'm talking about CPU cryptos, forget about bitcoin.

That may be true for Ethereum or Bitcoin, but not for Monero.

The Coinhive Monero miner is about 65% as fast as a native miner would be, at least in Browsers that support WASM.

Disclaimer: I wrote the Coinhive Monero miner.

How does it feel to see your code getting used worldwide... almost entirely by deceitful scum?

You get a lot of hate. But I think what you did was really cool!

Thank you very much for this information. Supports for WASM looks decent. Looking into it now!

Only 65%? That’s an opportunity for a 50% speedup by writing in native code. And running on the GPU would be even faster, no? What’s the protection against that?

If this became mainstream I’m sure we would find more efficient solutions.

Someone will just package a mining ASIC with an API that lets advertisers use it directly and market it as a way to speed up web browsing.

Maybe Intel will throw it on their chips as a processor extension.

> The cost to the viewer is ultimately a few cents of electricity

At US electricity prices.

At German electricity prices of 0.40$ per kWh, this is costing you a magnitude more than the site even gets.

Legal uncertainty aside, I could also see an entity like Facebook running their own ICO and then using that crypto currency for micro payments and other transactions on the Facebook platform. In some ways that crypto currency would becomes the official currency of Facebook’s virtual nation state.

Don't worry, it is too much profitable ads than mining, and this difference increase every day

Crypto currencies will probably give us usable micropayments and finally enable us to pay content producer in a better way than viewing ads on their page.


This article by Jakob Nielsen already called for them 20 years ago and if you read it today, it doesn't look like we moved a bit considering ads on websites.

The payment overhead with traditional payment options is just to big. Paypal has 30 cents per transactions IIRC? Way too much if you just want to proces a few cents or even a fraction of a cent. Systems like Flattr or Kachingle solve this in another interesting way but it's still not ideal.

Crypto currencies would solve nicely this problem but of course, there needs to be easier ways of getting them and paying with them. I have no doubts that the latter will come quickly (see also the new Payment Request API). The former, we'll have to see. But I'm optimistic and would be surprised if we didn't have that within 5 years.

Come back when there is a crypto currency that is not 99% scam and speculation. Volatility in value and the missing anonymity is what makes Bitcoin etc utterly useless for anything reasonable.

Did I mention Bitcoin anywhere in my post? I deliberately talked about "crypto currencies" and didn't single out any of the existing ones that could be used for this. It's also possible that a new, not-yet-existing one could be used for this, like the Facebook coin/token mentioned elsewhere in the thread.

A crypto currency backed by a real world currency would of course be best as you don't have an issue with volatility but you have to live with some volatility anyway, if you don't restrict yourself from buying from places that use the same currency as you.

Anonymity is obviously not a problem for most people as you can see by all those people that use Paypal and credit cards. For those people even the level of pseudonymity that Bitcoin offers would actually be an improvement.

>> mining for content becoming main stream that replaces commercials

Replaces? Like they'll ever give those up...

Actually, why is this not a potential legitimate business model?

I let you stream content for free and you let me mine cryto-coins with your spare CPU cycles while you watch. Isn't that better for people who don't like all the tracking by ads?

It only really makes sense with browser-level cpu scheduling. Otherwise there's no real way to throttle the amount of cpu these bitcoin miners take from you.

Without that, I think people are unlikely to be sympathetic and they'll be snagged by ad blockers rapidly: consent is the cornerstone of products people like.

This is great! Thanks!

Why would they block miner.pr0gramm.com, which is only used in one specific place (the pr0gramm site itself) where you need to explicitly press a start button to mine?

"More than $BIGNUM entries? These guys know what they're doing!"

My point is that it's clear that you mine when you use their miner. You get premium points on the website as a reward. How is that shady? I think it's a perfect use case of where a web miner makes sense as an alternative monetization method.

It's possible to throttle. Perform n hashes, wait 100ms, repeat.

Certainly it's possible for the script author to throttle. Not so much for the web site visitor.

I hope it's just a matter of time before browsers start to throttle sites...

Or maybe search rankings will be affected by CPU usage, and bandwidth.

Chrome has added throttling for inactive tabs. The problem is this is an active tab open for long stretches of time doing a somewhat cpu intensive task, so throttling isn't an option. I also doubt that be too adversely affected by slipping down the search rankings in this case.

Bandwidth and loads time already do play a part in search rankings, at least with Google.

Which is a lot easier toeasure than long running CPU usage unfortunately (at least not without privacy concerns - e.g. getting real world data from users)

> why is this not a potential legitimate business model?

I was thinking the same thing the other day when I first heard about it. One of the main issues with existing subscription models is that some people only want to consume a small fraction of what is available from a service provider (news, music, video etc) yet have to pay a not-insignificant fee for access to everything. A good example would be the latest Star Trek series only being available in the US via CBS All Access (thankful that I'm in a country where it'll be available on Netflix).

If I could lease out my CPU for a real-time exchange of services, that'd suit me just fine. I already have accounts with an energy provider and ISP, so it's one fewer monetary relationship I need to worry about.

You could be asked on a per view basis, so by default all sites are blocked and need to ask for the exchange to be approved. You could also white-list trusted sites, or for a set period approve all requests not unlike a software firewall e.g. Little Snitch paired with an ad-blocker.

This is something the W3C should standardise at the browser level so it's not inefficient and works across different browsers effectively. It could potentially save journalism and other business models that don't jive well with existing subscription/payment structures.

Running this at full speed will turn on your fan on and having this running could damage or limit the life of your computer.

It's like driving for uber where in the end you pay more for repairs than you would in salary.

At the end of my post I suggested it be standardised at the browser level for this purpose. Just because the implementation sucks now doesn't mean it has to always suck.

It is a non scalable model. The more people who use this the greater the rating for mining. Currently it takes 5.5 billion hashes to meet the min payment for coinhive. At full power you might get 30h/s per person on a desktop or 15h/s on a phone. If you had 10000 mobile visitors who came everyday and stayed 1 minute it would take 10000 days to get min payout: 1/2 a monero coin so about 40/50 dollars. I don't see how this will replace advertising where one affilate sale could replace this income.

These aren't free streaming services, and there was no disclosure, let alone consent, about the mining.

edit: And CBS most likely never ordained the mining to begin with.

Mining in Javascript will get you less than the infrastructure costs to provide the videos, let alone replacing ad revenue.

What about a clever webgl shader to leverage the GPU?

Or a browser that offers a first-class mining API. Then we'll see every device come with a specialized mining chip. As long as you meet the required number of hashes you get the add-free experience.

Sounds like an abomination.

It might force devs to optimize code more, since there will never be any more spare cycles muhahaha

Not if it's free and distributed worldwide. 99% of people don't even know what these coins are, regardless of what happens in the background when a computer requests content on a server.

I see it alongside ads.

No matter how many browsers are working on it?

"We lose money on every sale, but we make it up in volume!"

If were talking about new monitisation schemes, can we not entertain the thought of using newer technologies better suited to streaming at scale? I'm thinking of IPFS in particular, but there are probably other solutions as well.

Such as WebRTC.

Whose to say it's spare cycles? How does the site know I'm not watching something in a tiny window while doing work?

Or watching full-screen while a script does the work.

It makes sense while the coins have value; I wonder what value they would retain if every website started doing this.

Also, I question whether it's a sensible use of electricity on the whole.

I hate it being done without informed consent. It's also a huge waste of electricity. On the plus side it could lead to micropayment funded instead of ad-funded sites.

> I hate it being done without informed consent.

I'm more worried about the precedent, "informed consent" can always be buried deep in a T&C document.

"consent" can perhaps be buried, but I doubt it would be found to be informed.

You know what's even better than that?

Downloading the 1080p torrent off TPB.

Which coin is worth mining on a CPU at all?

Monero? Existing botnets earn $50,000/day mining on people's computers at night while finding ways to spread to additional ones.

A single computer earns pennies, a couple hundred thousand earn way more.

A single computer rarely even earns pennies.

It would be fun if AES-NI support was added to JavaScript engines, though it would need a standard.

As far as I'm aware, AES calculations aren't a component of any cryptocurrency.

Yes, Monero uses the CryptoNote PoW algorithm which uses AES.

A customer base of hundreds thousands doing streaming will cost you way more than $50k/day.

It doesn't have to completely cover the costs, only offset it some and be used in conjunction with other income generation methods.

Personally, I don't mind it so long as it is both fully disclosed and the ramifications fully explained - both in an accessible manner to a layperson. So long as they do that, I'm okay with it. I'm more okay with it if they give the user a simple means to opt out in a meaningful fashion.

Now, chances are exactly none of those conditions will be met in the real world. But, in principle, I am okay with it.

Unless you just package it and let youtube do the actual streaming. Imagine creating "cat-videos.com" and embedding all the youtube videos into the site but providing a better UI for browsing them.

But you'd get both ads and mining. The point of mining was to get rid of ads!

You pay us in electricity draw we didn't tell you about is a good business model?

Do people complain about the electricity draw when they're hosting a bunch of bloated flash?

Yes. That's why iOS doesn't have flash.

It is, but the difference here is that the contracted developer added it to mine coins for themselves.

That seems likely to me too, but did the article say that? Or is there another source?

In the article:

> "Upon reviewing our products and code, the HTML comments shown in the screenshot that are referencing newrelic were not injected by New Relic's agents. It appears they were added to the website by its developers."

> [Coin Hive] did confirm to us, however, that the email address used to set up the account was a personal one, and was not an official CBS email address, further suggesting malicious activity.

Yeah, it was obvious it was never NewRelic. But it is not obvious if it was a contractor, and employee, or someone who gained access through other means.

Given the difficulty of mining any worthwhile cryptocurrency these days (even using GPU farms instead of a web browser running on a tablet or underpowered laptop) I doubt it'd generate enough revenue to make up for the loss of ads or other micropayment options.

Furthermore you can't even fix the price of the payment since you're at the mercy of the hash difficulty and the cryptocurrency value. Doesn't seem like a very good business model to me.

> spare CPU cycles

"Spare CPU cycles" were only a thing back in the 90's, when CPUs ran at a fixed frequency, and it didn't make much difference whether it was running useful code or waiting in the idle loop. Nowadays, the frequency and voltage vary depending on whether the CPU is being used or not, so instead of "spare cycles" doing nothing the CPU powers itself down.

the only in-browser miner I've seen sucked up CPU whether it was spare or not.

Because if this becomes mainstream, people will come to know what crypto currency and mining is and wonder why arent they mining it themselves (more effectively so using native clients instead of shitty js miners) instead of giving them to others in exchange for content they were getting anyway with adblock.

Greed basically.

Doing it on my laptop probably means I won't even finish the episode before I run out of batteries.

There needs to be consent on both sides, for it to enter the realm of legitimacy.

So, you cut my phone’s battery runtime to nothing, cost me 10 to 100x more than you get yourself in electricity (German electricity prices are north of 0.40$ per kWh), and with a few dozen tabs my system crashes?

No thanks.

It might be okay if it was clearly explained and legit.

It is a business model. VPN service windscribe offers free Pro service (apparently) if you let it mine certain threshold of coins on your browser.

Well at the moment, likely because people aren't being told about it...

iphones are a much better vector.

Not all computer are built to do heavy computing. My poor Mac mini would probably melt after a few minutes of mining.

Interesting, you should apply to YC 2018!

On a similar note, I wonder how much money the Chinese government could make if they used the method they used to DDoS Github [0], but instead to load crypto-coin mining JavaScript onto every Baidu user's computer?

Then again, that seems like one of the fastest ways to make the average citizen actually angry at the Great Firewall.

[0]: https://arstechnica.com/information-technology/2015/03/massi...

The Chinese government is working hard to decrease pollution, not add additional stress on the power grid. Incentives change when you're the one responsible for all the externalities.

The GFW works both ways. That attack injected code into Chinese browsers viewing sites outside the GFW, but it could just as easily inject code into browsers outside the GFW viewing Chinese sites...

21st century version of https://en.wikipedia.org/wiki/Salami_slicing

Can't wait for this to show up as a plot device for Mr. Robot or something.

I wonder if sites doing this could be sued under a computer misuse act.

How soon before this kind of behavior gets worse name than actually running ads? Coin-hive is not helping it's case by allowing people to run the miner without approval. It wont take much time before most anti-virus/malware start tagging it as malicious.

The buck does not stop here. Prepare for cryptomining bloatware to come preinstalled on all your devices in the near future.

Here's a gray market "business model":

- Hacker H hacks site, injects cryptomining script

- Because H doesn't want other hackers to do the same, he will make the site secure and thereby kind of "maintain" it (in a security sense)

- Because H doesn't want the site to slow down endlessly, he will use cryptomining "as much as possible" while still keeping the site sufficiently responsive (otherwise traffic would go down and net income would decrease in the long run)

End result: a kind of a symbiotic relationship between a gray hat hacker and a standard web content provider.

Nothing gray about that.

But it could make an entertaining short story, with H eventually sitting in meetings with everybody not realizing that nobody hired him, H himself slowly forgetting that, an intermediate crisis when H's position is threatened after a merger and a dramatic finale when all is revealed after H is chosen as the next CEO.

I have heard of malware that does more or less the same: exploit a vulnerability, but patch it as soon as it has access to prevent others from exploiting it too.

While your plan makes sense, I can see a future where there are two big gray-market parties left that use the equipment under their control to attack the other party, and not mine crypto...

as if I needed another reason to browse with JS disabled.

https://github.com/jakeogh/glide (dont use the recent commits)

The other day someone was ranting about web app technologies. This is actually nice idea. A browser without javascript. For all the fun interaction, browser may add extensions of widgets. Let all richness be supplied by browser.

That would be worse than JS obfuscation of content because now it's browser specific PLUS you gotta execute an arb program (which is the real problem) to (maybe) get the result.

The separation of content from presentation is a fundamental building block of the past and future of the internet. Attempts to mix the two will fail. Flash is dead and it's close relative javascript is next. Outdated players will resist because without JS their data is accessible.

A web where every site has its own extension? That sounds like a nightmare.

Next-up: Video-player extension caught mining...

Is this a violation of the CFAA? Without explicit permission to do this, it seems an awful lot like unauthorized use

Everything is a violation of the CFAA. It's just a matter of who it is rocking the boat. They could just as easily make a ToS that would make it a violation of the CFAA to disable the monero miner.

I don't see any problem with crypto-miners on pages for revenue though. They're no more resource stealing or annoying that the typical JS 'web app' that pass for websites these days.

I'm not a lawyer, so my opinion is worth what you paid for it, but...

Without an authentication bypass, I don't think the CFAA applies (last I perused it).

The end user probably doesn't have standing under CFAA unless the website's ToS suggested they would not act this way. If you, as a web visitor, visit a website you are largely at the mercy of whatever plugins they load onto your browser during that session. In exchange for access to the content on the site, the website owner can steal your data (tracking + analytics), your bandwidth (autoplay advertising videos), and the processing resources associated with loading a webpage (or whatever else you can do in a webpage).

The website's owner might be able to bring a case against the person who injected it, perhaps (depending on who it was and who authorized it). The infraction may not be "breaking into" a computer as the CFAA requires if it was a CBS/Showtime employee/contractor who did it. It is almost certainly grounds for some sort of punitive employment / civil action if it wasn't a requested feature by CBS/Showtime.

The fun part about the law is that the gray areas aren't all defined ahead of time. Web visitors can sue or attempt to bring criminal charges and we get to watch how it unfolds in the courts.

But when I go to a website I expect to get the content. I don't expect the owner to use my computer for mining. That seems like unauthorized use to me.

While I don't think that's actually how the law can be interpreted, it does get at the central issue most computer users/researchers have with the law. It allows different standards for what "unauthorized" means, hence it is very elastic and can easily be abused, especially when combined with the plea bargain process (@see Aaron Schwartz).

But when I go to website I expect to get the content. I don't expect the owner to use my computer for running a bunch of tracking ad code. That seems like unauthorized use to me.

CFAA is wholly or at least primarily a part of the code focusing on criminal violations. So unfortunately it would require a motivated government attorney in order to invoke the CFAA. This likely falls beneath their outrage level.

What's the difference (legally speaking) between a badly programmed inefficient ad that hogs your CPU and some mining code?


If this becomes an open-source library that you can integrate into your app's own JavaScript blob and obfuscate, it can become ridiculously difficult to detect and distinguish from regular JavaScript processing in a sufficiently complex web app, as long as the actual mining is throttled to a reasonably low rate.

This seems like something that will inevitably be everywhere and displace some use cases for advertising, and could possibly even replace it entirely eventually. I personally see it as the lesser of two evils, as long as apps don't try to run miners at full throttle and thereby provide a horrible user experience, and instead operate it at say 95% idle and only when I'm actively using the app. Although in practice I realize this is almost impossible to identify and enforce.

I'd much rather offer some limited amount of compute on my devices to support content creation on the web and than to offer my privacy and be subjected to subliminal mind tricks 24/7 as I'm forced to in the status quo.

When browser tabs have audio, they get a little speaker icon. The same can be done for WebGL and WebCL.


If you obfuscate it it will run even slower, and it wouldn't be hard to detect the code heuristically and kill it. And in case it does become really hard, you can just kill the network requests so whoever is mining on your PC doesn't get squat.

I haven't done the maths, but I imagine even at full throttle it gives much less returns than advertising

I just did the math for my machine, because why not...

I was getting 35 hashes a second on my stock i5 2500K [0] with four threads. This was enough to get my fans revving up more than any game I ever play. For that rate, it works out to ~0.0018 USD per hour, using their 47 USD rate for the .5 XMR minimum payout.

[0] https://ark.intel.com/products/52210/Intel-Core-i5-2500K-Pro...

It's just some developer who injects coin-hive code on the website he manages hoping to make a quick buck. Executives will never direct to mine from user considering the incredible low ROI. And the dev is HN reader as the coin-hive post was on top some days ago.

So where are the arrests under the Computer Fraud and Abuse Act?

By visiting a web page with JavaScript enabled, don't you consent to running the code they send you? If so, there is no crime.

By the way it appears we need a (configurable) CPU/GPU cycle limit for JavaScript code in browsers now...

There's a $5000 threshold for stealing CPU time. A mining program might hit that.

knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;

By downloading an executable and starting it, don't you consent to it running on your computer? Despite this, distributing malware is illegal in most cases.

Use the EU cookie directive as an example of why that world view isn't quite correct.

Even before it, most browsers had optional methods of blocking cookies...

For those like me who interpreted the title to mean that CBS/Showtime had deliberately inserted the crypto-mining code themselves and been caught red-handed doing it: nobody knows who actually did it. The author hypothesizes that it was some malicious actor who got access to Showtime's code base, although this hypothesis is based on the author's surmising that it would be extremely unlikely for CBS to do this deliberately.

If I made a cookie-clicker type app and let users know that (mining) was how I made money I doubt there would be anything illegal about it.

The economics of in-browser mining as an alternative to ads is stupid. Everyone would be better off if the user just payed a fraction of a cent per page visit with a credit card. That such a convoluted an inefficient mechanism is being seriously considered is a demonstration of how woefully ill-suited our economic model is in the information age.

Is there a tool like an AdBlocker for crypto coin miners ? Or are they recognized by AdBlockers ?

You can always block JS from known sources that do this (use NoScript or similar), though I don't know any automatic way yet.

Is it intentional?

3 quite big ukrainian web sites were found to use same script.


uBlock Origin added some filters for miner scripts:


The important bit is at the end of the article:

"Meanwhile, ad blocking tools are now killing the JavaScript on sight."

The irony though, replace adds with JS mining crypto currency. And guess who is blocking them...

They discovered same thing on thepiratebay days ago. Probably they are uncovering a possible alternative to the banner based web economy.

Is this illegal? (Like should they arrest whomever put that code in?)

Catch my ICO for VidCoin now while supplies last!

Do you have a white paper?

Where do I sign up?!

if running ads is acceptable, why is this bad?

Does running ads multiply your electricity costs (run your battery dry) and/or burn up your CPU? No.

Does cryptocurrency mining do that? Yes.

Do you see the difference now?

Running ads also dry your battery.

Do ads make your CPU run at 100% load? Most likely not. Yet mining scripts will do just that.

Does that mean a mining script that throttles its resource usage would be acceptable?

No, they're still using your computational resources without your (informed) consent for their own (financial) gain.

I see ads, I might not realize that the website I'm browsing is using my CPU to mine coins. If the website is upfront about using my browser to mine I don't think it's particularly unethical.

Maybe we should try to keep the discussion honest by distinguishing between ads, tracking ads, and cpu-burning cryptocoin mining.

Ads aren't acceptable either.

So, I've heard it happening to thepiratebay before this. Does this mean someone at CBS uses pirate bay and got the idea?

I think it's fairly certain that someone at CBS uses pirate bay. Though I doubt that is the source of inspiration for this.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact