Have Some Candy While I Steal Your Cycles

Distributed computing is an excellent idea. We have a huge network of computers, many of them always on, why not take advantage of that when the user isn’t? The application that probably comes to mind is Folding@home, which lets you donate your unused computer time to help crunch the numbers for disease research. Everyone wins!

But what if your CPU cycles are being used for profit without your knowledge? Over the weekend this turned out to be the case with Showtime on-demand sites which mined Monero coins while the users was pacified by video playback. The video is a sweet treat while the cost of your electric bill is nudged up ever so slightly.

It’s an interesting hack as even if the user notices the CPU maxing out they’ll likely dismiss it as the horsepower necessary to decode the HD video stream. In this case, both Showtime and the web analytics company whose Javascript contained the mining software denied responsibility. But earlier this month Pirate Bay was found to be voluntarily testing out in-browser mining as a way to make up for dwindling ad revenue.

This is a clever tactic, but comes perilously close to being malicious when done without the user’s permission or knowledge. We wonder if those ubiquitous warnings about cookie usage will at times include notifications about currency mining on the side? Have you seen or tried out any of this Javascript mining? Let us know in the comments below.

48 thoughts on “Have Some Candy While I Steal Your Cycles

  1. It’s a great way to avoid reliance on ad services, a great way to build a web less dependent on adverts. Of course, the potential for abuse is there. I think it should be an opt-in thing on websites, and the ones which mine by force should just be blocked by ad blockers.

    1. I think i’d rather a site be bogged down a little by cryptocurrency mining than frozen entirely by 50 video ads all playing in separate frames. I have no problem with this if the user knows about it and it replaces ads entirely.

      1. I absofrickenlutely agree! If a site wants to make a little revenue through crypto mining using my cpu/gpu, go ahead. As long as it’s proper code nothing malicious. An opt-in in place of ads or a disclaimer if they decide to mine using every visiting computer is really all that’s necessary. The mining must be scaled back to use only like 50% of your system power, otherwise it could seriously bog down the computer. They aren’t going to make a lot of revinue from low end systems, if any at all, but several beefy systems could easily make up for the rest of them.

  2. hmmm… at least they are doing something useful with your cycles. On some websites you get huge flash animations causing the CPU to max. sometimes forcing the computer to a standstill and for what, so that we get a commercial/add that covers the whole screen for a few seconds. A dutch newspaper website (telegraaf), a few years ago, had these.. very annoying, it eventually drove me away from visiting that website. I’m sure it is better now as my computer have improved significantly… but still, why? In order to show that add, they also drive up my electrical bill, which is something I did not ask for just to see some headlines.

    1. I hate them too, Jan. For some news sites, I use bugmenot for someone else’s login. Generally it will kill the page filling ads if you have an account with them (which I also despise). My main problem with news sites advertising is when there is something like an active shooter situation or trying to see the weather radar when a hurricane is coming *cough weather.com cough. If it is need to know info the last thing I want to see is some lady with fish lips advertising plastic surgery blocking everything out with the “close X” off the page so I have to go thru extra steps to view the information. I also use uBlock Origin on Chrome which helps a TON. Gets rid of most of the garbage. You can also go into your Google account settings (if you use chrome) and tame some of the random page ads that way.
      I also agree with dtremit that autoplay vids are the devil and should be outlawed, like police sirens on FM radio or alarm clock buzzing on TV ads. I also dislike the phone vibration sound effect they use in movies and tv shows as it can sometimes be confusing but I get where they are coming from.
      If you are on your phone you can hit the information (the i in a circle) and it gives you the option of getting rid of the ad. One of the options it gives is “ad obscures view” I just go with that. Good luck :)

      1. No police sirens on FM radio, so wail away on AM? That classic oldie “Indiana Wants Me” was heard on AM! What about that wasteland media where sirens and guns are heard very often. I would love to have them banned from TV too. Cool. No telephones even in classic B/W movies, as that sound byte has been used as a ringtone for awhile.

      1. the majority of the things it breaks need to be broken.

        Use NoScript an you get a handy bar at the bottom which allows you to white list sites temporarily or permanently. On HaD I have one domain white listed (temporarily when i want to make comments) ouy of 9.

        Google analytics, WordPress, Typekit and supply frame are all blocked but the site still works for me. It just goes to show that the majority of sites do not need as much js as they use. plus it keeps my cpu cycles low and cross site scripting attacks non existent. There are some sites that call in JS from more than 20 domains, that is a large number of attack vectors coming from a security standpoint. Call me paranoid but i run 10+ year old hardware with out having to wait for it to do something because i choose what runs on my hardware very carefully and i dont allow anything to run that doesnt need to run. The Internet is for information, not entertainment, if i want to be entertained i will just go hang out with my dog or go work on my car or any other hobby of mine.

    1. In theory a mining application could just as easily be something to serve spam.
      The bandwidth of an end user’s machine is probably much more valuable then any CPU power it may have unless they have a a couple of Tesla cards you can hijack the use of.

    2. “go ” (adds ad-blocker rule for that site). And yes, at least some of the paywalls are avoided by just removing few layers in the site ;-).
      Or Ctrl-A Ctrl-C libreoffice Ctrl-V , close tab.
      Because my phone and laptop do not have space cpu cycles.

      1. this! my cpu cycles (and thus power usage) are mine to control. Most places that have pay-walls do not have anything of value to see, otherwise they would already have a revenue stream. For example technical manuals, those are sold through an e commerce site instead of using a paywall

    1. It’s not a huge issue unless you are doing something in the background while watching a video, say rendering some ray shading scene or some such.
      Or perhaps you are a miner yourself and have that running.

      1. Another issue is battery operated devices running out of juice rapidly of course, but you can actually detect if a device is battery powered so they could check before running such mining code.

    2. Depends a fast desktop with six to eight cores and a good video card you may not notice unless you’re also running a game but a phone or laptop with only an IGP any increase in overhead may be undesirable.

    3. My reaction was the same. While auto play videos are bad, the cluttered look of a website with ads is just as bad in my opinion. This is a most acceptable compromise to not having to look at ads.

    4. Same. A lot of sites only need a couple cents per user to pay for hosting. I’d give them my quarter directly if any system would do transactions that small. But a “donate with your electricity” works in small amounts, and works seamlessly. Imagine how many users would click the “turn off ads” button when presented. Enough to pay for hosting I’d bet

      1. Good point, make a button and see how the public react. And I too expect a lot of acceptance. Except you know how many companies are, they want it all, same how they put ads in subscription paid content they would also figure they just do mining AND ads to get twice their (then dirty) money, sigh.

  3. Try being stuck with an AT&T dsl line that has a “real world” download speed of about 380kbps.
    Pings a packet at about 2.4~2.6 gbps for test sites, but try anything on the real web ( youtube stream or any software download and after the first few seconds, your down to that 370~380kbps again.
    Yes, it’s part of the reason for my user name.

    and to answer any questions on the house wiring or computer equipment,
    AT&T landline service once had a “glitch” that lost my dialtone and telephone use.
    But at thesame time I had internet speed like a T1 line.
    Four video streams and three music stream running simultaneously, without a hickup.
    I waited about three weeks to report the problem…..was enjoying the web speed a bit too much!

  4. If someone wants to do this then I don’t see any reason that it should be required to inform readers. Why should it? They are strangers requesting your files that you worked on from your server most likely for no compensation. Then they display the html and execute the javascript. Who twisted their arms to execute your code without even looking to see what it does?

    I would however suggest two rules are important.

    1 – All mining should stop immediately when the user un-loads the page. Your time that the user has invited your code onto their computer is over. Take your stuff and leave.

    2 – Don’t bog down their computer with crappy code. This is where I think content providers mining for profit instead of advertising has potential for being a great improvement. Look how many sites can bring a computer to it’s knees just by browsing to them. Why? Because of the advertising. But how does advertising cause all of that? Because it is hastily written crappy code full of bugs!

    Ads must be constantly changing. They change because the advertiser’s time or click count is up and it is time to advertise someone else. They change because site users who aren’t there to see the advertisement in the first place learn to filter them out and so ads must constantly change to get past those mental filters and grab the users’ attention. This means everything is transitory, there is neither the time nor motivation to really debug that ad popup code and do it right.

    A mining script can be the same script tomorrow as today. So.. there is an advantage to taking the time to do it right. Also, it can be shared as open source. Many eyes can uncover the bugs. Properly written the average user shouldn’t suffer at all, meanwhile the content they came to see is getting paid for.

    I don’t see the problem with this.

    Blocking the miner however, or evening participating in an opt-out system. That does cause harm. It removes the content provider’s incentive to produce content. I’m ok with this when what is being blocked is an overly obtrusive ad but think it’s pretty unfair when you are talking about a background process that causes no harm.

    1. ” I don’t see any reason that it should be required to inform readers. Why should it?”

      Because any site maxing my CPU for no apparent reason gets put on my avoid like the plague list and null routed next time I remember to edit the hosts file. So if they were to explain this was in exchange for ad free content I might consider the bargain.

  5. heh, knew a guy who lived in a moderately sized apartment complex. Set up a wireless network called “Free Porn” which when connected it’d open up Pornhub… Except in addition to loading Pornhub, it’d also attempt a few backdoors through whatever browser you were running to install a piece of software that’d mine Bitcoins in the background (shows you how long ago this was)… I seem to remember him telling me at one point he had 12 different devices in the complex mining Bitcoins in the background :-P

  6. one of the big issues is the website owners are going to be “why not both” there’s no incentive for them to turn off add revenue too.
    I read an online newspaper. I use adblock but wanted to support them so called them up about subscribing. I was told if i subscribed not only would i still see adds but then i would also be on their mailing list.
    no thanks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s