back to article Badass alert: 1 in 5 Brits don't give a damn about webpage crypto-miners

More than 20 per cent of Britons don't mind letting websites hijack their CPUs to mine cryptocurrency, a slightly stale survey has found. YouGov's survey of 2,174 people, conducted back in September/October but now apparently relevant again thanks to "Computer Security Day" yesterday [EVERY day is computer security day, kids …

  1. Anonymous Coward
    Anonymous Coward

    More sensible users would like regulation

    Truly? I'd be more inclined to believe that sensible users wouldn't count on regulation. Regulators typically show poor agility in dealing with the dynamic tactics of online miscreants.

    Aren't there already existing laws that address the deliberate misuse of computer systems? Is there a theft of utilities law that could be dusted off? Theft of the electricity that powers these errant CPU cycles might make an interesting legal argument.

  2. RyokuMas Silver badge
    Trollface

    "Aren't there already existing laws that address the deliberate misuse of computer systems?"

    Yeah, but Google, Facebook et al are big enough to lawyer/lobby their way around them.

    1. Christian Berger Silver badge

      Plus Google, Facebook et al likely have a TOS document you signed which allowes them to do that.

      1. Doctor Syntax Silver badge

        "Plus Google, Facebook et al likely have a TOS document you signed which allowes them to do that."

        But which would be unenforceable if contrary to law.

        1. Anonymous Coward
          Anonymous Coward

          That's part of the above. They have enough clout to make such things "go away."

  3. Christian Berger Silver badge

    Considering what the "legal" Javascript malware does...

    ... crypto mining is rather fair. Instead of leaking personal data into large databases and actively launching an attack against your system and perhaps even your brain along with your CPU power, crypto miners just want your CPU power.

    To me, that's by far the lesser evil.

    1. Michael Vasey

      Re: Considering what the "legal" Javascript malware does...

      The one time I ran into this stuff it rammed my CPU up to 100% and set my laptop's fans to running like a jet engine. That doesn't strike me as something I want to have happen too regularly if I want the laptop to stay functional. I'll pass on that deal.

    2. JohnFen Silver badge

      Re: Considering what the "legal" Javascript malware does...

      " Instead of leaking personal data into large databases"

      How do you know they aren't doing that? If I could be guaranteed that the mining software just mines and doesn't track me or reveal any personal or machine data about me, then I'd be all in favor. The issue is that can't be guaranteed at all. Mining requires you to allow arbitrary code to execute on that machine. That code could do anything at all. Your only "protection" is taking the word of the miner about it, and history has shown you can't take the word of anyone about that sort of thing.

      1. Raumkraut

        Re: Considering what the "legal" Javascript malware does...

        Mining requires you to allow arbitrary code to execute on that machine. That code could do anything at all.

        Nothing special about mining here. Many websites already require javascript, aka the ability to execute arbitrary code on your machine, just to view the page content. And quite often they already use 100% of your CPU, just to automatically start playing a video at full volume.

        I really hope that this trend of in-browser mining continues, and the browser makers get a clue and start giving the user more control over CPU allocation per website. That's the only real fix that we need or should be asking for, as guidelines and regulations will always be ignored by the "bad guys".

        1. Charles 9 Silver badge

          Re: Considering what the "legal" Javascript malware does...

          No, what we REALLY really need is to go back to a passive Web which just displayed data and nothing else. Interactivity should be left to other protocols like VNC.

          As for paying via mining, why not simply demand a payment in Monero or whatever? Then you get the client of your choice to mine and pay the toll.

        2. anonymous boring coward Silver badge

          Re: Considering what the "legal" Javascript malware does...

          "I really hope that this trend of in-browser mining continues, and the browser makers get a clue and start giving the user more control over CPU allocation per website."

          Agree. Browser developers are naive, or don't care, to a silly degree.

          Can't even find out what window is misbehaving in many cases.

        3. JohnFen Silver badge

          Re: Considering what the "legal" Javascript malware does...

          "Many websites already require javascript, aka the ability to execute arbitrary code on your machine, just to view the page content"

          I suppose. I block all Javascript by default, and rarely has it ever cause a site to simply not function for me. But my website tastes probably naturally lead me away from those sorts of sites. In the few instances that I've encountered sites like that, I've just never come back to them. No big loss.

          "I really hope that this trend of in-browser mining continues"

          I don't actually care one way or the other. As is, I have to treat mining scripts the same way as I treat advertising scripts -- too dangerous to allow. So I don't really see much of a difference between ads and miners.

          "That's the only real fix that we need or should be asking for"

          Being able to control CPU allocation is nice, but very far from "the only real fix". I'd much prefer that the functionality of NoScript be part of every browser by default, to give users actual control over which scripts are allowed to run and which are not.

          1. Charles 9 Silver badge

            Re: Considering what the "legal" Javascript malware does...

            "Being able to control CPU allocation is nice, but very far from "the only real fix". I'd much prefer that the functionality of NoScript be part of every browser by default, to give users actual control over which scripts are allowed to run and which are not."

            No, because Joe Stupid will complain that their website that they MUST visit (and has no substitute) doesn't work and they can't figure out how this "script blocking" whatchamacallit works.

            Remember, always look at problems from the perspective of someone who just wants to turn a key.

            1. JohnFen Silver badge

              Re: Considering what the "legal" Javascript malware does...

              "Remember, always look at problems from the perspective of someone who just wants to turn a key."

              That's not a problem. Have it turned off by default.

  4. Anonymous Coward
    Anonymous Coward

    Is that the same 1 in 5 that allow all app every permission, open links and attachments from emails and think that google is the internet?

    1. Terry 6 Silver badge

      Precisely. The (more than) 1 in 5 that just want to use their shiny tech and not be bothered. Until it all goes 'orribly wrong. Public concerns, and even understanding, have not caught up with the power, and risks, of technology. Hence senior politicians thinking that they (allegedly) can view porn on their govt. issue PCs and not ever be found out.

    2. Anonymous Coward
      Anonymous Coward

      Or maybe some of those 1 in 5 people value their privacy more than their CPU cycles?

      I'm kidding, of course, as this will only be used as an additional source of revenue for websites, rather than as an alternative to behaviour-tracking.

  5. inmypjs Silver badge

    "stealing their processing power"

    Was that what they were asked?

    What would the result have been if asked "stealing their money via their electricity bill" ?

    1. Dan 55 Silver badge

      Re: "stealing their processing power"

      You wouldn't steal a baby

      You wouldn't shoot a policeman

      And then steal his helmet

      You wouldn't go to the toilet in his helmet, and then send it to the policeman's grieving widow

      And then steal it again!

      1. Anonymous Coward
        Anonymous Coward

        Re: "stealing their processing power"

        How do you know? For items 1 through 4, I might just if I was having a real Mr Angry day..

        But having shat in the copper's helmet, I probably would decide not to steal it again, so you'd be 20% correct.

    2. Anonymous Coward
      Anonymous Coward

      Re: "stealing their processing power"

      You make a good point because most people will probably think that while it's processing it's not actually doing anything.

  6. Fading Silver badge
    Coat

    CPU cycles?

    With only four cores in my CPU then a big fat no. Now if you wanted to use a couple of my stream processors in my GPU - as long as it took less power than rendering the adverts we might have a deal......

  7. Christopher Reeve's Horse
    Holmes

    Hang on a minute...

    It's only 1 in 10 Britons once you subtract the 10% that don't use the internet at all, that sounds much more realistic.

    1. JEDIDIAH
      Devil

      Re: Hang on a minute...

      I wouldn't expect any more than 1 in 10 Brits to even understand the question. I would expect most people to look at you like you have two heads after asking them that kind of question.

  8. Rich 11 Silver badge
    Joke

    Gruaniad

    It's Grauniad. Come on, you could at least make the effort to mis-spell it correctly!

  9. FuzzyTheBear
    Stop

    An ounce of prevention.

    It's all nice and good .. it's definitely not a resource ( cpu ) i want shared with anyone .. there's BOINC for that , but how do i make sure none of that mining code runs but a line of code on my machine, which i pay for and the bandwidth which i also pay for ? I'm running LinuxMint /Firefox and would like to be sure to totally block any unwanted software from running on my box and this is exactly it. Ideas ?

    1. Uncle Slacky Silver badge
      Boffin

      Re: An ounce of prevention.

      The NoScript (if it's been updated for Firefox Quantum by now) or maybe uMatrix Firefox extensions should enable you to selectively block the mining scripts.

      1. Killfalcon Silver badge

        Re: An ounce of prevention.

        NoScript's been updated for Quantum. The interface changed a fair bit and it badly needs to use /words/ instead of just icons, but it blocks the badness on-demand, just like it always did.

        1. JohnFen Silver badge

          Re: An ounce of prevention.

          "NoScript's been updated for Quantum"

          Yes, but it's pretty terrible to use now. Me? I'm passing on FF 57 so I can keep using the better version of NoScript.

    2. Mark 85 Silver badge

      Re: An ounce of prevention.

      If you're running Winders... put this in your Hosts file:

      127.0.0.1 api.taboola.com

      127.0.0.1 taboola.com

      127.0.0.1 coinhive.com/lib*

      127.0.0.1 coin-hive.com/lib*

      127.0.0.1 coin-hive.com/captcha*

      127.0.0.1 *.coinhive.com/proxy*

      127.0.0.1 *.coin-hive.com/proxy*

      127.0.0.1 jsecoin.com/server*

      127.0.0.1 *.jsecoin.com/server*

      127.0.0.1 server.jsecoin.com/*

      127.0.0.1 *.server.jsecoin.com/*

      127.0.0.1 load.jsecoin.com/*

      127.0.0.1 *.load.jsecoin.com/*

      127.0.0.1 static.reasedoper.pw/*

      127.0.0.1 mataharirama.xyz/*

      127.0.0.1 listat.biz/*

      127.0.0.1 lmodr.biz/*

      127.0.0.1 minecrunch.co/web/*

      127.0.0.1 minemytraffic.com/*

      127.0.0.1 crypto-loot.com/lib*

      127.0.0.1 *.crypto-loot.com/proxy*

      127.0.0.1 *.2giga.link/wproxy*

      127.0.0.1 *.2giga.link/hive/lib/*

      127.0.0.1 ppoi.org/lib/*

      127.0.0.1 *.ppoi.org/lib/*

      127.0.0.1 *.ppoi.org/token/*

      127.0.0.1 coinerra.com/lib/*

      127.0.0.1 kisshentai.net/Content/js/c-hive.js*

      127.0.0.1 miner.pr0gramm.com/xmr.min.js*

      127.0.0.1 kiwifarms.net/js/Jawsh/xmr/xmr.min.js*

      127.0.0.1 anime.reactor.cc/js/ch/cryptonight.wasm

      127.0.0.1 joyreactor.cc/ws/ch/*

      127.0.0.1 kissdoujin.com/Content/js/c-hive.js*

      127.0.0.1 ppoi.org/lib/*

      127.0.0.1 minero.pw/miner.min.js*

      Or goto: http://someonewhocares.org/hosts/ and use that in your Hosts file (which stops a lot more than miners, BTW.

      1. James R Grinter

        Re: An ounce of prevention.

        Hosts files don’t work like that.

  10. Chris King Silver badge
    Facepalm

    "...a fifth of folk don't care about web pages stealing their processing power to make magic computer cash"

    These people do realise THEY won't be seeing any of that magic computer cash, right ?

  11. User McUser
    Alert

    Ads -vs- Cryptomining

    Cryptomining just might save us all from the horrifying ad-supported future ahead of us. (Sorry if that link is geofenced.)

    In the current phase of the Internet, advertising rules the Web for sure. Entire systems have been established to coerce and fool people into clicking on links to generate ad impressions (or whatever the term is these days.) Because the advertising model rewards you for getting a lot of people to go to your site, you don't need any real content. It provides an incentive for websites to have small pages with a lot of ads surrounding said "content" and to stretch and split longer sections into multiple smaller pieces. (That way you have to click on the next page to get the next segment of content which results in loading more advertisements; rinse and repeat.)

    Thus the rise of the "listicle" and the explosion of "fake news" websites. It's the web equivalent of SPAM; you only get a fraction of a $CURRENCY_UNIT for each person who loads the page so you need to get many thousands (or millions) of people to load a given webpage in order to make any money. Thus small pages with click-bait headlines and little to no actual content. Fake News leverages outrage and the hyper-partisanship of our day to drive users to their site and thus bump their impression rate.

    But the important thing to remember is that they don’t need you to *stay* at the site. They don’t need you to become a regular visitor and they don’t need to have truthful or entertaining content. They don’t need anything other than gibberish, ads surrounding the gibberish, and then something to trick you into loading the gibberish. They have “Red Flag” headlines designed to get people emotionally invested in clicking but it doesn’t really matter what the headline is or what the actual content is once you click the link; they just need your eyeballs on the page long enough to register the view. In fact the less time you spend there the better – it lets you go back to Facebook or wherever you were when you saw the link in order to present you with a new link to click on in order to generate more ad views (rinse and repeat.)

    Cryptomining in the browser requires the exact opposite approach. If someone clicks a link and finds nothing of interest to keep them reading, then the cryptomining website owner makes nothing. But if they can convince you to *stay* at that site by, say, providing actual content that is interesting and informative, then they will make money from the coins being mined while you are there. Thus it will be in the site’s best interest to attract more users and to keep them there longer. The more people with the page open and running the mining code and the longer people stay at a given site the more money generated for the site.

    It’s not a panacea or course and there will be people who will abuse cryptomining systems as sure as people figured out how to abuse advertising systems. But browsers could provide a management method to control cryptomining much more efficiently than they can block ads; it could be as simple as a whitelist/blacklist of sites or cryptocurrencies or more complicated like some way to tell if you are actively reading a site's content or if there is merely a hidden window somewhere running code.

    TL;DR – Ad revenue encourages a minimal amount of low quality content on websites designed to get you in and out quickly and repeatedly. Cryptomining revenue encourages high quality and engaging content that gets you to stay at that site longer.

    1. Jack of Shadows Silver badge

      Re: Ads -vs- Cryptomining

      Pretty much everything I've discussed elsewhere (Twatterverse). Just one additional observation is that you'll need to have some constraints around how many of these running at the same time for the other tabs. Some browsers only allow one tab to be active on Android, for instance, while on Windows everything is firing at the same time even having only one active tab per browser. Often times I'll have three browsers on the laptop at the same time due to other considerations. Security concerns, browser suitability and even compatibility/fitness for purpose.

      I don't have a real preference given how often malware depositing ads appear and loading on the system memory and processor(s) from advertisements themselves. Until we come up with a real, functional, simple micropayment system, this is an alternative. It'd be nice to have a working alternative to the ad supported system. That model is broken. Maybe here as well. It's down to trade-offs.

  12. DougS Silver badge

    I'd love to "pay" for pages with mining time

    In exchange for them being ad free. While I'm on El Reg, they could run a miner in the background and collect some revenue they currently aren't getting from me due to my ad blocker.

    Of course, Google would do EVERYTHING in their power to sabotage such a thing - perhaps that's why they want to build in their own "ad blocker". Bet it only blocks ads that try to run mining software, and "accidentally" blocks all attempts to run mining software even when OK'ed by the user.

    This concept is an existential risk for Google, and they will spare no effort to kill it or FUD it to death.

    1. LaeMing Silver badge

      Re: I'd love to "pay" for pages with mining time

      Yes, as long as the site is up-front about it and uses a properly-written script, I would support sharing some spare CPU. In winter, when I would otherwise turn up the space heater, I'd share ALL my spare CPU.

  13. mark l 2 Silver badge

    I don't think that crypto mining is going to be able to completely replace ads on websites. The javascript to run the mining code either needs to be on websites that get millions of hits or on a site that gets less hits but people staying on their for a longer period of time (or both) to make the equivalent amount of money that a website can get from showing ads.

    Coin mining could easily replace ads on Facebook or Youtube even if it were run at its lowest CPU setting and still get millions of hours CPU time because of the huge numbers of users who are on these sites for hours. But for smaller sites that get most of their traffic from search engines probably wouldn't have enough people staying on there for long periods to make it profitable.

  14. Richard Jukes

    Less ads because income is generated from crypto currency mining?

    Yeah right.

    That's like saying that government tax receipts are up this year so they will reduce tax next year.

  15. Fazal Majid

    Doesn’t make sense

    Given how slow general purpose CPUs are compared to GPUs, how even GPUs have been superseded by ASICs for Bitcoin, and how JavaScript code is orders of magnitude slower than the native C/C++ code that can"t compete with GPUs, I don’t understand how this can make money for the operators. Granted, crypto currencies other than Bitcoin or Ethereum have not started the hardware race of their more mature forebears, but it would probably take less effort to code a CUDA or OpenCL implementation of Monero than all this infrastructure for JS mining.

    1. Anonymous Coward
      Anonymous Coward

      Re: Doesn’t make sense

      Modern cryptocurrencies have specific hardware demands that make GPUs and ASICs less than optimal and put an emphasis on CPU-specific instructions as proof-of-work. Think motion estimation and other memory-divergent tasks; these kinds of tasks remain a realm where the CPU rather than the GPU is preferred.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019