I bet some clever person on the marketing team just went ahead and inserted the tag. My first experience on a large corporate dev team was eye-opening. While the core product code was version controlled and reviewed, the marketing team had the power to insert any kind of scripts onto the page without clearance. In theory, anything new on the page would require many ridiculous meetings. In practice, they could and did put in whatever through a third-party like New Relic.
Tealium was my worst enemy at a previous job. 5 different departments had access to dump whatever garbage scripts they wanted on the website with no auditing by devs to make sure it wouldn't break things. I eventually put in a feature flag to nuke everything from Tealium to help us debug problems because so many were caused by rogue scripts.
An unexpected side benefit was being able to demonstrate side by side the effect that 200 extra scripts were having on pageload times.
Can confirm. We had a single-page app that, on navigation, did just one request (REST API call to fetch data), and 15 others for analytics. They fetched JS from the tag manager, which in turn included GA's analytics.js (again, it was a memory leak so if you used the app long enough you'd end up with dozens if not hundreds of lines of analytics.js including script tags), etc.
And getting to the data, getting meaningful information from all that information the analytics team was hoarding was a huge pain. They were like "No throw, only take!" (https://i.imgur.com/q46L4QH.jpg)
Ha, that gives me flashbacks! I worked in a similar environment where more than once the production site(s) (multi-country deployment, big brand) would show a blank screen because some ad script did a "document.write". Or some hastily-added external dependency would stop working and render the site unusable.
The discrepancy between the care taken about deployment strategies and these regular issues always bothered me, but eventually things became more consistent. That is, our deployment strategy became haphazard and gung-ho too!
We iframed all the ads after a few of them f###ed with our website. It's not needed if you work with AdSense, but we had multiple vendors and private deals, custom ads of all kinds.
> High pressure, low resources (money) => Marketing can do their own thing to reduce pressure on the development team.
"Marketing can do their own thing" makes for more work and pressure on the development team. "Why doesn't this work in production?" "Why is this slow in production?"
Nobody gets to skip CI, or work without coordination.
The kicker for me is that they expect you to act like they're doing you a favor and reducing your workload. Sorry, your next release is delayed because your previous attempt at "helping" is screwing things up.
> they could and did put in whatever through a third-party like New Relic.
They didn't put anything through the third-party. It's commented as NewRelic, but anyone even glancing at the link would notice this is completely wrong.
I wasn't suggesting that New Relic is to blame. I was suggesting that New Relic allowed somebody to put arbitrary script tags onto the page. It's more likely that Google Tag Manager allowed this and possible that New Relic doesn't allow this sort of thing.
As a marketer and coder, I appreciate those loopholes to make sh*t work (I used to do it all of the time, and was pretty much the basis I was hired on at my previous job) :) although I would concede giving anyone the option if they don't have tech experience is a nightmare waiting to happen.
"To make shit work", that is where the devil is. In the same line as, "how hard could it be". Having a tunnel vision to get something fixed right now with no regards to what will happen in the future. How the code will be maintained. Who will maintain it, and such.
As you might appreciate the "loop-hole", I'm sure there are many developers whom hate it because they have to fix your "fix" in the future.
You bring up an interesting tangent that I'll speak to. As a marketer who needs to get things done, I feel you. At this organization, this was in the general interest of all of the middle managers as well. This encouraged more and more off the shelf "solutions" to be jammed in, and misorganization of the core team development. I was a contractor here, and the core code base was crammed with bandage quick fixes to the point where it was actually suggested to use Google tag manager to to change code on the fly for other third-party scripts.
What are you trying to show? The page describes either manually copying NR's snippet, or injecting it via an agent. But it's always going to point at the newrelic server.
Why is the overwhelming majority of networked software still not secure, despite all effort to the contrary? Why is it almost certain to get exploited so long as attackers can craft its inputs? Why is it the case that no amount of effort seems enough to fix software that must speak certain protocols?
The answer to these questions is that for many protocols and services currently in use on the Internet, the problem of recognizing and validating their "good", expected inputs from bad ones is either not well-posed or is undecidable (i.e., no algorithm can exist to solve it in the general case), which means that their implementations cannot even be comprehensively tested, let alone automatically checked for weaknesses or correctness. The designers' desire for more functionality has made these protocols effectively unsecurable.
In this talk we'll draw a direct connection between this ubiquitous insecurity and basic computer science concepts of Turing completeness and theory of languages. We will show how well-meant protocol designs are doomed to their implementations becoming clusters of 0day, and will show where to look for these 0day. We will also discuss simple principles of how to avoid designing such protocols.
EDIT: Sandstorm was looking to fix user permissions for individual programs on computers (they went defunct/bankrupt/no-longer-developing last I heard).
What I'm looking for is a user-facing, user-friendly structure that A) Does only what the user wants to do eg. load site B) Explicitly does NOTHING else eg run javascripts for cryptocurrency.
How could this work? Maybe your SecureBrowser*tm would only run Javascripts that have their hashes, and the hash of all the simultaneous Javascripts running on that page, approved by a network. Your client frequently checks this blockchain (why not) to download the latest approved scripts.
> Why is the overwhelming majority of networked software still not secure, despite all effort to the contrary? Why is it almost certain to get exploited so long as attackers can craft its inputs? Why is it the case that no amount of effort seems enough to fix software that must speak certain protocols?
This is a super naive view of the world.
Nowadays most hacking incidents are based on social engineering, meaning it's not the technology that's weak, it's humans who are the least secure. Yes that includes you and me.
So NO, your solution won't fix anything. Believing that a technical solution can fix everything is the most dangerous thing because in reality it will never be safe but you just have a false sense of safety, which is how most hacks happen--most hacks are carried out by taking advantage of this mentality that everything is safe enough, which in reality isn't.
You will probably believe that the system you designed is super safe because it only lets people do what they said they wanted to do, but as I said, most hacking incidents are social engineering, so someone will definitely take advantage of this and attack you where you least expect it.
Social engineering is responsible for in part or entirety many hacks. I'm not arguing that technical solutions will "fix everything". Technical stability is on aspect of secure systems.
The video is arguing: why should a doorbell have the ability to set your house on fire? (Metaphorically).
Heartbleed was an issue of exactly this
"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software"
Architecturally, this should never have been possible.
Obviously attackers are going to look for the weakest point, but your agument sounds like "social engineering should happen, so don't bother locking your doors at all".
No i was only arguing it's not as easy as you think. Just like your solution you suggested can easily be hacked, any technological solution a human being comes up with is vulnerable to hacks.
The only thing I was criticizing was you seem to think it's easy to simply create a secure system. It's not. That's why there are tons of smart people in security but hacks still happen.
He's saying we know how to increase the energy needed to compromise a system, while spending less energy than would otherwise happen in the case of compromise. The harder a task is, the less often the task occurs.
Yes hacks still happen. See pharrington's response.
I don't think it's easy to create a secure system.
I'm in favor of making software more difficult to hack.
I think the Heartbleed example speaks for itself.
> EDIT: Sandstorm was looking to fix user permissions for individual programs on computers (they went defunct/bankrupt/no-longer-developing last I heard).
Nice job on that house you have there. Looks like you might even be able to play Warcraft 3 over LAN without spending the entire party trying to get it set up.
> What I'm looking for is a user-facing, user-friendly structure that A) Does only what the user wants to do eg. load site B) Explicitly does NOTHING else eg run javascripts for cryptocurrency.
When you get a spare half hour to figure it out well enough, add the uMatrix extension to your browser. It is like an old-school software firewall, except it is for your browser.
There is a learning curve, but it's fine once you get up to speed. It's a bit like NoScript, but on steroids.
Seconded! I find uMatrix terribly unintuitive, but once I figured it out it's my most crucial Chrome extension other than uBlock (and Hacker News Enhancement Suite, perhaps).
> In this talk we'll draw a direct connection between this ubiquitous insecurity and basic computer science concepts of Turing completeness and theory of languages. We will show how well-meant protocol designs are doomed to their implementations becoming clusters of 0day, and will show where to look for these 0day. We will also discuss simple principles of how to avoid designing such protocols.
Sounds like you want the next-gen version of what https://en.wikipedia.org/wiki/Project_Xanadu was supposed to be. Unfortunately while you were discussing the above with like-minded peers other people were shipping things that users (not designers, users) want. The latter always trumps the former.
I agree with you philosophically - how could you not - but how do you have your cake and eat it, too, in this regard? Xanadu was impossible enough, and expecting to have all its trappings with the best parts of TimBL seems like the recipe for a classic Borges tragicomic short story.
> Why is the overwhelming majority of networked software still not secure, despite all effort to the contrary? Why is it almost certain to get exploited so long as attackers can craft its inputs? Why is it the case that no amount of effort seems enough to fix software that must speak certain protocols?
That's interesting, but I'm not sure it's relevant here because downloading and executing arbitrary code without understanding what it does is a fundamentally insecure thing to do.
Unfortunately, the same technology is used by Facebook, Google, etc. to track people around the internet, so it's unlikely to get "fixed" any time soon.
The langsec approach of using formal recognizers that validate the validity of input before processing it in any way (stop creating weird machines!), and designing network protocols that are actually decidable without solving the halting problem (network input must be no more complex than deterministic context-free) should be considered the bare minimum for all network-associated software. It won't solve all security problems, but we should at least be handling the problems we know how to solve. Anything less should be considered severely unprofessional, and at least civilly negligent.
> The web seriously sucks.
Dan Geer discussed his terrifying visions of the future in a recent keynote[1][2]. The suck extends far beyond the web; "Cybersecurity and the future of humanity are conjoined". He gives many examples that demonstrate just how bad the suck is, and how ill-prepared the world is for these looming problems - at any level of society.
> The cumulative effect of the curves for computing, storage, and bandwidth is this: in 1986 you could fill the world's total storage using the world's total bandwidth in two days. Today, it would probably take nine months of the world's total bandwidth to fill the world's total storage, but because of replication, synchronization, and sensor-driven autonomy, it is no longer really possible to know how much data there is. Decision making that depends or depended on knowing how
much data there is is over.
> The execution space on the web today is that the client is the server's server, its bondsman if not concubine. You intake Remote Procedure Calls (RPCs) from everywhere and everyone. You are supposed to believe that trust is transitive but that risk is not. That is what Javascript does.
What is the solution?
> To be deadly serious about cybersecurity requires that --EITHER-- we damp down the rate of change, slowing it enough to give prediction operational validity --OR-- we purposely increase unpredictability so that the opposition's targeting exercise grows too hard for them to do. In the former, we give up many and various sorts of progress. In the latter, we give up many and various sorts of freedom as it would be the machines then in charge, not us. Either way, the conjoining is irreversible.
I'm wondering how bad this will get before the masses declare a Butlerian Jihad. I personally know a handful of people that already use a revolt against technology as their primary political belief.
I’ve been running a miner via coin-hive.com. The earnings are ridiculously low. With 5 ad slots, I make around $6 RPM. With coin-hive/monero, it's not even equivalent to $0.5. Unless you are a website with the page open for hours and you have millions of views, this does not even make sense.
Yes this is what I calculated as well. Regular ads are still way more profitable - even if you somehow convince all your visitors to keep your page open 24/7.
Even coinhive admit that you can't use this to make real money.
This still doesn't clear things up (both "," and "." can be used as thousands and fractions separation symbol, depending on locale). A more international way is to use whitespace or nothing at all for thousands ($89 000 or $89000) and use "," or "." (depending on locale) for fractions only.
In the absence of an effective micropayment method, I could see this exchange of mining for content becoming main stream that replaces commercials. The cost to the viewer is ultimately a few cents of electricity, without the need for a bank account information, which the content producer indirectly turns into cash.
> The cost to the viewer is ultimately a few cents of electricity
And the cost to the society is few cents of electricity minus fraction of a cent the site gets, paid in fuel being wasted on producing that electricity.
Crypto mining is a disaster. If I were an evil mastermind who wanted to deepen the energy and climate problems of the world, cryptocurrencies is what I would push for.
Advertising today is mostly a zero-sum game, where all the effort you put into it goes to offset the equivalent effort your competitor puts into it. Thus it forms a feedback loop of ever increasing waste.
Still, this topic is not relevant to discussion about merits of cryptocurrencies.
Why do you think that minor cryptocurrencies mining operations are worse in regards of wasted fuel than playing computer games, watching mindless YouTube videos, scrolling Facebook, leaving devices on when not used, lighting places 24/7 where nobody goes at night anyway etc.? We, as society, waste an enormous amount of resources anyway, I don't see how mining in browser would even dent that. Sure, these mega cryptocurrency mining stations is totally different thing I'm not talking here about.
"Mining in a browser is going to consume my battery and bandwidth"
You mean just like ads do? Of course, in a perfect world we wouldn't have either, but I just don't see clear distinction between mining in browser or ads or other useless/annoying things (from the user perspective).
In ads, waste of electricity is a bug. The more lean you can make them, the better (even if only because you can then put more of them). In cryptocurrencies, waste is a feature. The more power you burn, the more money you get.
One of those disincentivizes waste (howewer weakly). The other incentivizes it.
Cryptocurrencies in the browser are[0] irrelevant. But they're a part of larger ecosystem of cryptocurrency mining, and that ecosystem is a huge problem.
> playing computer games, watching mindless YouTube videos, scrolling Facebook, leaving devices on when not used, lighting places 24/7 where nobody goes at night anyway etc.?
We do. But all those examples are the case where energy use gives us something (fun, convenience) and where the waste is bounded (there're only so many devices I can leave powered, and also I have to pay for the power they use). Crypto mining literally pays you for wasting power, so the more electricity you can burn, the more money you get. And the more people join in, the more you have to burn to keep up. So there's almost no ceiling to how much personally you get to waste, and a strong incentive to waste as much as you can.
And what's all of that for? To replace a system that works fine and does not have a greed-powered feedback loop of waste? That's just dumb.
--
[0] - Currently. Hopefully they'll always stay that way, but there's an off chance this becomes so popular that all new computers will come equipped with additional hardware and drivers to mine crypto for micropayments.
"Crypto mining literally pays you for wasting power, so the more electricity you can burn, the more money you get."
Well, you (or somebody else) still has to pay for power consumption used for mining, so it just converts money you pay for energy bill to micropayments (though in very unfavorable rate as of yet). Don't get me wrong, I don't advocate such shady behavior in any way, just wanted to point out that this "wasted power" point is a bit of a stretch.
You pay less for the wasted power than you get in cryptocoins - otherwise you wouldn't mine at all. The delta is what cryptocurrency system pays you for wasting electricity.
They do. But in management of fiat currencies, it's understood that energy expenditure is an upkeep that is to be reduced. In cryptocurrencies, on the other hand, energy use is a "feature" that's intended to grow over time.
Or put differently, cryptocurrencies are trying to replace a system that's O(log n) with respect to energy with a system that's O(n^2), for questionable and mostly imaginary benefit of trustless payments.
The cost to the viewer is ultimately a few cents of electricity
For a regular computer plugged-in to a real electricity network, maybe. For a person on battery, or trying to charge their device before going out, or on a limited power supply (e.g. small home battery supplied by solar panel, or a car charger), it's more than that.
The problem is that mining is effectively a zero-sum game (value of the underlying cryptocurrency notwithstanding). The more people mine the less each individual hash is worth.
If this becomes mainstream the overall difficulty of the cryptocurrency they're mining will raise making it less rewarding.
In other words you have a "micropayment" method where you can't really fix the price unless you're willing to force the user to mine for a certain amount of time before they can access the content. All I see is a good way to waste energy.
I’m no economist, but it seems like the millions of dollars of electricity that have gone into mining crypto currencies is transferred into the underlying value of the crypto currency. So if I know that it will take $100m of today’s money to mine crypto currency for the next year, then I would expect the total market cap of that crypto currency to rise by at least $100m with a premium for speculation and other supply demand issues. So in that sense the value of the mined currency should increase with the mining cost.
It's the other way around really, the value of the crypto dictates how much money you can spend mining it and still break even. Except then the difficulty will increase and even things out. Having more miners could increase the trust in the currency and increase its value but it's not directly correlated.
Mining from a random browser will almost certainly never be cost effective for the user, you're better off buying or renting dedicated hardware, mine on it and use the reward to pay for microtransactions.
But that is not the right question to answer. The right question is is the cost of mining crypto currencies in a browser more or less than the cost of dealing with advertising?
The problem is that mining through the browser is very inefficient. I don't have numbers but it'd probably cost an order of magnitude more, at least, to mine on the browser. And I'm talking about CPU cryptos, forget about bitcoin.
Only 65%? That’s an opportunity for a 50% speedup by writing in native code. And running on the GPU would be even faster, no? What’s the protection against that?
Legal uncertainty aside, I could also see an entity like Facebook running their own ICO and then using that crypto currency for micro payments and other transactions on the Facebook platform. In some ways that crypto currency would becomes the official currency of Facebook’s virtual nation state.
Crypto currencies will probably give us usable micropayments and finally enable us to pay content producer in a better way than viewing ads on their page.
This article by Jakob Nielsen already called for them 20 years ago and if you read it today, it doesn't look like we moved a bit considering ads on websites.
The payment overhead with traditional payment options is just to big. Paypal has 30 cents per transactions IIRC? Way too much if you just want to proces a few cents or even a fraction of a cent. Systems like Flattr or Kachingle solve this in another interesting way but it's still not ideal.
Crypto currencies would solve nicely this problem but of course, there needs to be easier ways of getting them and paying with them. I have no doubts that the latter will come quickly (see also the new Payment Request API). The former, we'll have to see. But I'm optimistic and would be surprised if we didn't have that within 5 years.
Come back when there is a crypto currency that is not 99% scam and speculation. Volatility in value and the missing anonymity is what makes Bitcoin etc utterly useless for anything reasonable.
Did I mention Bitcoin anywhere in my post? I deliberately talked about "crypto currencies" and didn't single out any of the existing ones that could be used for this. It's also possible that a new, not-yet-existing one could be used for this, like the Facebook coin/token mentioned elsewhere in the thread.
A crypto currency backed by a real world currency would of course be best as you don't have an issue with volatility but you have to live with some volatility anyway, if you don't restrict yourself from buying from places that use the same currency as you.
Anonymity is obviously not a problem for most people as you can see by all those people that use Paypal and credit cards. For those people even the level of pseudonymity that Bitcoin offers would actually be an improvement.
Actually, why is this not a potential legitimate business model?
I let you stream content for free and you let me mine cryto-coins with your spare CPU cycles while you watch. Isn't that better for people who don't like all the tracking by ads?
It only really makes sense with browser-level cpu scheduling. Otherwise there's no real way to throttle the amount of cpu these bitcoin miners take from you.
Without that, I think people are unlikely to be sympathetic and they'll be snagged by ad blockers rapidly: consent is the cornerstone of products people like.
Why would they block miner.pr0gramm.com, which is only used in one specific place (the pr0gramm site itself) where you need to explicitly press a start button to mine?
My point is that it's clear that you mine when you use their miner. You get premium points on the website as a reward. How is that shady? I think it's a perfect use case of where a web miner makes sense as an alternative monetization method.
Chrome has added throttling for inactive tabs. The problem is this is an active tab open for long stretches of time doing a somewhat cpu intensive task, so throttling isn't an option. I also doubt that be too adversely affected by slipping down the search rankings in this case.
Which is a lot easier toeasure than long running CPU usage unfortunately (at least not without privacy concerns - e.g. getting real world data from users)
> why is this not a potential legitimate business model?
I was thinking the same thing the other day when I first heard about it. One of the main issues with existing subscription models is that some people only want to consume a small fraction of what is available from a service provider (news, music, video etc) yet have to pay a not-insignificant fee for access to everything. A good example would be the latest Star Trek series only being available in the US via CBS All Access (thankful that I'm in a country where it'll be available on Netflix).
If I could lease out my CPU for a real-time exchange of services, that'd suit me just fine. I already have accounts with an energy provider and ISP, so it's one fewer monetary relationship I need to worry about.
You could be asked on a per view basis, so by default all sites are blocked and need to ask for the exchange to be approved. You could also white-list trusted sites, or for a set period approve all requests not unlike a software firewall e.g. Little Snitch paired with an ad-blocker.
This is something the W3C should standardise at the browser level so it's not inefficient and works across different browsers effectively. It could potentially save journalism and other business models that don't jive well with existing subscription/payment structures.
At the end of my post I suggested it be standardised at the browser level for this purpose. Just because the implementation sucks now doesn't mean it has to always suck.
It is a non scalable model. The more people who use this the greater the rating for mining. Currently it takes 5.5 billion hashes to meet the min payment for coinhive. At full power you might get 30h/s per person on a desktop or 15h/s on a phone. If you had 10000 mobile visitors who came everyday and stayed 1 minute it would take 10000 days to get min payout: 1/2 a monero coin so about 40/50 dollars. I don't see how this will replace advertising where one affilate sale could replace this income.
Or a browser that offers a first-class mining API. Then we'll see every device come with a specialized mining chip. As long as you meet the required number of hashes you get the add-free experience.
Not if it's free and distributed worldwide. 99% of people don't even know what these coins are, regardless of what happens in the background when a computer requests content on a server.
If were talking about new monitisation schemes, can we not entertain the thought of using newer technologies better suited to streaming at scale? I'm thinking of IPFS in particular, but there are probably other solutions as well.
I hate it being done without informed consent. It's also a huge waste of electricity. On the plus side it could lead to micropayment funded instead of ad-funded sites.
It doesn't have to completely cover the costs, only offset it some and be used in conjunction with other income generation methods.
Personally, I don't mind it so long as it is both fully disclosed and the ramifications fully explained - both in an accessible manner to a layperson. So long as they do that, I'm okay with it. I'm more okay with it if they give the user a simple means to opt out in a meaningful fashion.
Now, chances are exactly none of those conditions will be met in the real world. But, in principle, I am okay with it.
Unless you just package it and let youtube do the actual streaming. Imagine creating "cat-videos.com" and embedding all the youtube videos into the site but providing a better UI for browsing them.
> "Upon reviewing our products and code, the HTML comments shown in the screenshot that are referencing newrelic were not injected by New Relic's agents. It appears they were added to the website by its developers."
> [Coin Hive] did confirm to us, however, that the email address used to set up the account was a personal one, and was not an official CBS email address, further suggesting malicious activity.
Yeah, it was obvious it was never NewRelic. But it is not obvious if it was a contractor, and employee, or someone who gained access through other means.
Given the difficulty of mining any worthwhile cryptocurrency these days (even using GPU farms instead of a web browser running on a tablet or underpowered laptop) I doubt it'd generate enough revenue to make up for the loss of ads or other micropayment options.
Furthermore you can't even fix the price of the payment since you're at the mercy of the hash difficulty and the cryptocurrency value. Doesn't seem like a very good business model to me.
"Spare CPU cycles" were only a thing back in the 90's, when CPUs ran at a fixed frequency, and it didn't make much difference whether it was running useful code or waiting in the idle loop. Nowadays, the frequency and voltage vary depending on whether the CPU is being used or not, so instead of "spare cycles" doing nothing the CPU powers itself down.
Because if this becomes mainstream, people will come to know what crypto currency and mining is and wonder why arent they mining it themselves (more effectively so using native clients instead of shitty js miners) instead of giving them to others in exchange for content they were getting anyway with adblock.
So, you cut my phone’s battery runtime to nothing, cost me 10 to 100x more than you get yourself in electricity (German electricity prices are north of 0.40$ per kWh), and with a few dozen tabs my system crashes?
On a similar note, I wonder how much money the Chinese government could make if they used the method they used to DDoS Github [0], but instead to load crypto-coin mining JavaScript onto every Baidu user's computer?
Then again, that seems like one of the fastest ways to make the average citizen actually angry at the Great Firewall.
The Chinese government is working hard to decrease pollution, not add additional stress on the power grid. Incentives change when you're the one responsible for all the externalities.
The GFW works both ways. That attack injected code into Chinese browsers viewing sites outside the GFW, but it could just as easily inject code into browsers outside the GFW viewing Chinese sites...
How soon before this kind of behavior gets worse name than actually running ads? Coin-hive is not helping it's case by allowing people to run the miner without approval. It wont take much time before most anti-virus/malware start tagging it as malicious.
- Hacker H hacks site, injects cryptomining script
- Because H doesn't want other hackers to do the same, he will make the site secure and thereby kind of "maintain" it (in a security sense)
- Because H doesn't want the site to slow down endlessly, he will use cryptomining "as much as possible" while still keeping the site sufficiently responsive (otherwise traffic would go down and net income would decrease in the long run)
End result: a kind of a symbiotic relationship between a gray hat hacker and a standard web content provider.
But it could make an entertaining short story, with H eventually sitting in meetings with everybody not realizing that nobody hired him, H himself slowly forgetting that, an intermediate crisis when H's position is threatened after a merger and a dramatic finale when all is revealed after H is chosen as the next CEO.
I have heard of malware that does more or less the same: exploit a vulnerability, but patch it as soon as it has access to prevent others from exploiting it too.
While your plan makes sense, I can see a future where there are two big gray-market parties left that use the equipment under their control to attack the other party, and not mine crypto...
The other day someone was ranting about web app technologies. This is actually nice idea. A browser without javascript. For all the fun interaction, browser may add extensions of widgets. Let all richness be supplied by browser.
That would be worse than JS obfuscation of content because now it's browser specific PLUS you gotta execute an arb program (which is the real problem) to (maybe) get the result.
The separation of content from presentation is a fundamental building block of the past and future of the internet. Attempts to mix the two will fail. Flash is dead and it's close relative javascript is next. Outdated players will resist because without JS their data is accessible.
Everything is a violation of the CFAA. It's just a matter of who it is rocking the boat. They could just as easily make a ToS that would make it a violation of the CFAA to disable the monero miner.
I don't see any problem with crypto-miners on pages for revenue though. They're no more resource stealing or annoying that the typical JS 'web app' that pass for websites these days.
I'm not a lawyer, so my opinion is worth what you paid for it, but...
Without an authentication bypass, I don't think the CFAA applies (last I perused it).
The end user probably doesn't have standing under CFAA unless the website's ToS suggested they would not act this way. If you, as a web visitor, visit a website you are largely at the mercy of whatever plugins they load onto your browser during that session. In exchange for access to the content on the site, the website owner can steal your data (tracking + analytics), your bandwidth (autoplay advertising videos), and the processing resources associated with loading a webpage (or whatever else you can do in a webpage).
The website's owner might be able to bring a case against the person who injected it, perhaps (depending on who it was and who authorized it). The infraction may not be "breaking into" a computer as the CFAA requires if it was a CBS/Showtime employee/contractor who did it. It is almost certainly grounds for some sort of punitive employment / civil action if it wasn't a requested feature by CBS/Showtime.
The fun part about the law is that the gray areas aren't all defined ahead of time. Web visitors can sue or attempt to bring criminal charges and we get to watch how it unfolds in the courts.
But when I go to a website I expect to get the content. I don't expect the owner to use my computer for mining. That seems like unauthorized use to me.
While I don't think that's actually how the law can be interpreted, it does get at the central issue most computer users/researchers have with the law. It allows different standards for what "unauthorized" means, hence it is very elastic and can easily be abused, especially when combined with the plea bargain process (@see Aaron Schwartz).
But when I go to website I expect to get the content. I don't expect the owner to use my computer for running a bunch of tracking ad code. That seems like unauthorized use to me.
CFAA is wholly or at least primarily a part of the code focusing on criminal violations. So unfortunately it would require a motivated government attorney in order to invoke the CFAA. This likely falls beneath their outrage level.
If this becomes an open-source library that you can integrate into your app's own JavaScript blob and obfuscate, it can become ridiculously difficult to detect and distinguish from regular JavaScript processing in a sufficiently complex web app, as long as the actual mining is throttled to a reasonably low rate.
This seems like something that will inevitably be everywhere and displace some use cases for advertising, and could possibly even replace it entirely eventually. I personally see it as the lesser of two evils, as long as apps don't try to run miners at full throttle and thereby provide a horrible user experience, and instead operate it at say 95% idle and only when I'm actively using the app. Although in practice I realize this is almost impossible to identify and enforce.
I'd much rather offer some limited amount of compute on my devices to support content creation on the web and than to offer my privacy and be subjected to subliminal mind tricks 24/7 as I'm forced to in the status quo.
If you obfuscate it it will run even slower, and it wouldn't be hard to detect the code heuristically and kill it. And in case it does become really hard, you can just kill the network requests so whoever is mining on your PC doesn't get squat.
I just did the math for my machine, because why not...
I was getting 35 hashes a second on my stock i5 2500K [0] with four threads. This was enough to get my fans revving up more than any game I ever play. For that rate, it works out to ~0.0018 USD per hour, using their 47 USD rate for the .5 XMR minimum payout.
It's just some developer who injects coin-hive code on the website he manages hoping to make a quick buck. Executives will never direct to mine from user considering the incredible low ROI. And the dev is HN reader as the coin-hive post was on top some days ago.
There's a $5000 threshold for stealing CPU time. A mining program might hit that.
knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
By downloading an executable and starting it, don't you consent to it running on your computer? Despite this, distributing malware is illegal in most cases.
For those like me who interpreted the title to mean that CBS/Showtime had deliberately inserted the crypto-mining code themselves and been caught red-handed doing it: nobody knows who actually did it. The author hypothesizes that it was some malicious actor who got access to Showtime's code base, although this hypothesis is based on the author's surmising that it would be extremely unlikely for CBS to do this deliberately.
The economics of in-browser mining as an alternative to ads is stupid. Everyone would be better off if the user just payed a fraction of a cent per page visit with a credit card. That such a convoluted an inefficient mechanism is being seriously considered is a demonstration of how woefully ill-suited our economic model is in the information age.
I see ads, I might not realize that the website I'm browsing is using my CPU to mine coins. If the website is upfront about using my browser to mine I don't think it's particularly unethical.
