I bet some clever person on the marketing team just went ahead and inserted the tag. My first experience on a large corporate dev team was eye-opening. While the core product code was version controlled and reviewed, the marketing team had the power to insert any kind of scripts onto the page without clearance. In theory, anything new on the page would require many ridiculous meetings. In practice, they could and did put in whatever through a third-party like New Relic.
Tealium was my worst enemy at a previous job. 5 different departments had access to dump whatever garbage scripts they wanted on the website with no auditing by devs to make sure it wouldn't break things. I eventually put in a feature flag to nuke everything from Tealium to help us debug problems because so many were caused by rogue scripts.
An unexpected side benefit was being able to demonstrate side by side the effect that 200 extra scripts were having on pageload times.
Ha, that gives me flashbacks! I worked in a similar environment where more than once the production site(s) (multi-country deployment, big brand) would show a blank screen because some ad script did a "document.write". Or some hastily-added external dependency would stop working and render the site unusable.
The discrepancy between the care taken about deployment strategies and these regular issues always bothered me, but eventually things became more consistent. That is, our deployment strategy became haphazard and gung-ho too!
> they could and did put in whatever through a third-party like New Relic.
They didn't put anything through the third-party. It's commented as NewRelic, but anyone even glancing at the link would notice this is completely wrong.
Why is the overwhelming majority of networked software still not secure, despite all effort to the contrary? Why is it almost certain to get exploited so long as attackers can craft its inputs? Why is it the case that no amount of effort seems enough to fix software that must speak certain protocols?
The answer to these questions is that for many protocols and services currently in use on the Internet, the problem of recognizing and validating their "good", expected inputs from bad ones is either not well-posed or is undecidable (i.e., no algorithm can exist to solve it in the general case), which means that their implementations cannot even be comprehensively tested, let alone automatically checked for weaknesses or correctness. The designers' desire for more functionality has made these protocols effectively unsecurable.
In this talk we'll draw a direct connection between this ubiquitous insecurity and basic computer science concepts of Turing completeness and theory of languages. We will show how well-meant protocol designs are doomed to their implementations becoming clusters of 0day, and will show where to look for these 0day. We will also discuss simple principles of how to avoid designing such protocols.
EDIT: Sandstorm was looking to fix user permissions for individual programs on computers (they went defunct/bankrupt/no-longer-developing last I heard).
What I'm looking for is a user-facing, user-friendly structure that A) Does only what the user wants to do eg. load site B) Explicitly does NOTHING else eg run javascripts for cryptocurrency.
How could this work? Maybe your SecureBrowser*tm would only run Javascripts that have their hashes, and the hash of all the simultaneous Javascripts running on that page, approved by a network. Your client frequently checks this blockchain (why not) to download the latest approved scripts.
I’ve been running a miner via coin-hive.com. The earnings are ridiculously low. With 5 ad slots, I make around $6 RPM. With coin-hive/monero, it's not even equivalent to $0.5. Unless you are a website with the page open for hours and you have millions of views, this does not even make sense.
In the absence of an effective micropayment method, I could see this exchange of mining for content becoming main stream that replaces commercials. The cost to the viewer is ultimately a few cents of electricity, without the need for a bank account information, which the content producer indirectly turns into cash.
Actually, why is this not a potential legitimate business model?
I let you stream content for free and you let me mine cryto-coins with your spare CPU cycles while you watch. Isn't that better for people who don't like all the tracking by ads?
It only really makes sense with browser-level cpu scheduling. Otherwise there's no real way to throttle the amount of cpu these bitcoin miners take from you.
Without that, I think people are unlikely to be sympathetic and they'll be snagged by ad blockers rapidly: consent is the cornerstone of products people like.
> why is this not a potential legitimate business model?
I was thinking the same thing the other day when I first heard about it. One of the main issues with existing subscription models is that some people only want to consume a small fraction of what is available from a service provider (news, music, video etc) yet have to pay a not-insignificant fee for access to everything. A good example would be the latest Star Trek series only being available in the US via CBS All Access (thankful that I'm in a country where it'll be available on Netflix).
If I could lease out my CPU for a real-time exchange of services, that'd suit me just fine. I already have accounts with an energy provider and ISP, so it's one fewer monetary relationship I need to worry about.
You could be asked on a per view basis, so by default all sites are blocked and need to ask for the exchange to be approved. You could also white-list trusted sites, or for a set period approve all requests not unlike a software firewall e.g. Little Snitch paired with an ad-blocker.
This is something the W3C should standardise at the browser level so it's not inefficient and works across different browsers effectively. It could potentially save journalism and other business models that don't jive well with existing subscription/payment structures.
Given the difficulty of mining any worthwhile cryptocurrency these days (even using GPU farms instead of a web browser running on a tablet or underpowered laptop) I doubt it'd generate enough revenue to make up for the loss of ads or other micropayment options.
Furthermore you can't even fix the price of the payment since you're at the mercy of the hash difficulty and the cryptocurrency value. Doesn't seem like a very good business model to me.
"Spare CPU cycles" were only a thing back in the 90's, when CPUs ran at a fixed frequency, and it didn't make much difference whether it was running useful code or waiting in the idle loop. Nowadays, the frequency and voltage vary depending on whether the CPU is being used or not, so instead of "spare cycles" doing nothing the CPU powers itself down.
Because if this becomes mainstream, people will come to know what crypto currency and mining is and wonder why arent they mining it themselves (more effectively so using native clients instead of shitty js miners) instead of giving them to others in exchange for content they were getting anyway with adblock.
So, you cut my phone’s battery runtime to nothing, cost me 10 to 100x more than you get yourself in electricity (German electricity prices are north of 0.40$ per kWh), and with a few dozen tabs my system crashes?
On a similar note, I wonder how much money the Chinese government could make if they used the method they used to DDoS Github [0], but instead to load crypto-coin mining JavaScript onto every Baidu user's computer?
Then again, that seems like one of the fastest ways to make the average citizen actually angry at the Great Firewall.
How soon before this kind of behavior gets worse name than actually running ads? Coin-hive is not helping it's case by allowing people to run the miner without approval. It wont take much time before most anti-virus/malware start tagging it as malicious.
- Hacker H hacks site, injects cryptomining script
- Because H doesn't want other hackers to do the same, he will make the site secure and thereby kind of "maintain" it (in a security sense)
- Because H doesn't want the site to slow down endlessly, he will use cryptomining "as much as possible" while still keeping the site sufficiently responsive (otherwise traffic would go down and net income would decrease in the long run)
End result: a kind of a symbiotic relationship between a gray hat hacker and a standard web content provider.
If this becomes an open-source library that you can integrate into your app's own JavaScript blob and obfuscate, it can become ridiculously difficult to detect and distinguish from regular JavaScript processing in a sufficiently complex web app, as long as the actual mining is throttled to a reasonably low rate.
This seems like something that will inevitably be everywhere and displace some use cases for advertising, and could possibly even replace it entirely eventually. I personally see it as the lesser of two evils, as long as apps don't try to run miners at full throttle and thereby provide a horrible user experience, and instead operate it at say 95% idle and only when I'm actively using the app. Although in practice I realize this is almost impossible to identify and enforce.
I'd much rather offer some limited amount of compute on my devices to support content creation on the web and than to offer my privacy and be subjected to subliminal mind tricks 24/7 as I'm forced to in the status quo.
It's just some developer who injects coin-hive code on the website he manages hoping to make a quick buck. Executives will never direct to mine from user considering the incredible low ROI. And the dev is HN reader as the coin-hive post was on top some days ago.
For those like me who interpreted the title to mean that CBS/Showtime had deliberately inserted the crypto-mining code themselves and been caught red-handed doing it: nobody knows who actually did it. The author hypothesizes that it was some malicious actor who got access to Showtime's code base, although this hypothesis is based on the author's surmising that it would be extremely unlikely for CBS to do this deliberately.
The economics of in-browser mining as an alternative to ads is stupid. Everyone would be better off if the user just payed a fraction of a cent per page visit with a credit card. That such a convoluted an inefficient mechanism is being seriously considered is a demonstration of how woefully ill-suited our economic model is in the information age.
[+] [-] brailsafe|8 years ago|reply
[+] [-] mattmanser|8 years ago|reply
Google Tag Manager is a serious game-changer that provides the kind of competitive edge our clients need.
- Caleb Whitmore, Founder & Chairman, Analytics Pros
You want to let Marketing add script tags on the fly? Are you fucking insane?
- Anonymous Developer
[+] [-] kevan|8 years ago|reply
An unexpected side benefit was being able to demonstrate side by side the effect that 200 extra scripts were having on pageload times.
[+] [-] mercer|8 years ago|reply
The discrepancy between the care taken about deployment strategies and these regular issues always bothered me, but eventually things became more consistent. That is, our deployment strategy became haphazard and gung-ho too!
[+] [-] wavefunction|8 years ago|reply
I had a similar request for Google Tags and I explained my concerns to my CTO and voila, no Google Tags that didn't come through us.
[+] [-] viraptor|8 years ago|reply
They didn't put anything through the third-party. It's commented as NewRelic, but anyone even glancing at the link would notice this is completely wrong.
[+] [-] hellbanner|8 years ago|reply
https://www.youtube.com/watch?v=CiqioE1zGCw talks about this
Why is the overwhelming majority of networked software still not secure, despite all effort to the contrary? Why is it almost certain to get exploited so long as attackers can craft its inputs? Why is it the case that no amount of effort seems enough to fix software that must speak certain protocols?
The answer to these questions is that for many protocols and services currently in use on the Internet, the problem of recognizing and validating their "good", expected inputs from bad ones is either not well-posed or is undecidable (i.e., no algorithm can exist to solve it in the general case), which means that their implementations cannot even be comprehensively tested, let alone automatically checked for weaknesses or correctness. The designers' desire for more functionality has made these protocols effectively unsecurable.
In this talk we'll draw a direct connection between this ubiquitous insecurity and basic computer science concepts of Turing completeness and theory of languages. We will show how well-meant protocol designs are doomed to their implementations becoming clusters of 0day, and will show where to look for these 0day. We will also discuss simple principles of how to avoid designing such protocols.
EDIT: Sandstorm was looking to fix user permissions for individual programs on computers (they went defunct/bankrupt/no-longer-developing last I heard).
What I'm looking for is a user-facing, user-friendly structure that A) Does only what the user wants to do eg. load site B) Explicitly does NOTHING else eg run javascripts for cryptocurrency.
How could this work? Maybe your SecureBrowser*tm would only run Javascripts that have their hashes, and the hash of all the simultaneous Javascripts running on that page, approved by a network. Your client frequently checks this blockchain (why not) to download the latest approved scripts.
[+] [-] quintin|8 years ago|reply
Or maybe I am not doing this right.
[+] [-] rdlecler1|8 years ago|reply
[+] [-] sumitgt|8 years ago|reply
I let you stream content for free and you let me mine cryto-coins with your spare CPU cycles while you watch. Isn't that better for people who don't like all the tracking by ads?
[+] [-] damnstraight|8 years ago|reply
Without that, I think people are unlikely to be sympathetic and they'll be snagged by ad blockers rapidly: consent is the cornerstone of products people like.
[+] [-] icanhackit|8 years ago|reply
I was thinking the same thing the other day when I first heard about it. One of the main issues with existing subscription models is that some people only want to consume a small fraction of what is available from a service provider (news, music, video etc) yet have to pay a not-insignificant fee for access to everything. A good example would be the latest Star Trek series only being available in the US via CBS All Access (thankful that I'm in a country where it'll be available on Netflix).
If I could lease out my CPU for a real-time exchange of services, that'd suit me just fine. I already have accounts with an energy provider and ISP, so it's one fewer monetary relationship I need to worry about.
You could be asked on a per view basis, so by default all sites are blocked and need to ask for the exchange to be approved. You could also white-list trusted sites, or for a set period approve all requests not unlike a software firewall e.g. Little Snitch paired with an ad-blocker.
This is something the W3C should standardise at the browser level so it's not inefficient and works across different browsers effectively. It could potentially save journalism and other business models that don't jive well with existing subscription/payment structures.
[+] [-] pharrington|8 years ago|reply
edit: And CBS most likely never ordained the mining to begin with.
[+] [-] crooked-v|8 years ago|reply
[+] [-] dawnerd|8 years ago|reply
[+] [-] ruytlm|8 years ago|reply
Also, I question whether it's a sensible use of electricity on the whole.
[+] [-] beedogs|8 years ago|reply
Downloading the 1080p torrent off TPB.
[+] [-] maxerickson|8 years ago|reply
[+] [-] plandis|8 years ago|reply
[+] [-] rmrfrmrf|8 years ago|reply
[+] [-] simias|8 years ago|reply
Furthermore you can't even fix the price of the payment since you're at the mercy of the hash difficulty and the cryptocurrency value. Doesn't seem like a very good business model to me.
[+] [-] cesarb|8 years ago|reply
"Spare CPU cycles" were only a thing back in the 90's, when CPUs ran at a fixed frequency, and it didn't make much difference whether it was running useful code or waiting in the idle loop. Nowadays, the frequency and voltage vary depending on whether the CPU is being used or not, so instead of "spare cycles" doing nothing the CPU powers itself down.
[+] [-] phjesusthatguy3|8 years ago|reply
[+] [-] merkaloid|8 years ago|reply
Greed basically.
[+] [-] ceejayoz|8 years ago|reply
[+] [-] rdiddly|8 years ago|reply
[+] [-] kuschku|8 years ago|reply
No thanks.
[+] [-] schwede|8 years ago|reply
[+] [-] stwrong|8 years ago|reply
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] Nursie|8 years ago|reply
[+] [-] ransom1538|8 years ago|reply
[+] [-] Flott|8 years ago|reply
[+] [-] hellbanner|8 years ago|reply
[+] [-] indiv0|8 years ago|reply
Then again, that seems like one of the fastest ways to make the average citizen actually angry at the Great Firewall.
[0]: https://arstechnica.com/information-technology/2015/03/massi...
[+] [-] nicolashahn|8 years ago|reply
Can't wait for this to show up as a plot device for Mr. Robot or something.
[+] [-] brango|8 years ago|reply
[+] [-] thisisit|8 years ago|reply
[+] [-] mechnesium|8 years ago|reply
[+] [-] dmichulke|8 years ago|reply
- Hacker H hacks site, injects cryptomining script
- Because H doesn't want other hackers to do the same, he will make the site secure and thereby kind of "maintain" it (in a security sense)
- Because H doesn't want the site to slow down endlessly, he will use cryptomining "as much as possible" while still keeping the site sufficiently responsive (otherwise traffic would go down and net income would decrease in the long run)
End result: a kind of a symbiotic relationship between a gray hat hacker and a standard web content provider.
[+] [-] jakeogh|8 years ago|reply
https://github.com/jakeogh/glide (dont use the recent commits)
[+] [-] brian-armstrong|8 years ago|reply
[+] [-] lewisl9029|8 years ago|reply
This seems like something that will inevitably be everywhere and displace some use cases for advertising, and could possibly even replace it entirely eventually. I personally see it as the lesser of two evils, as long as apps don't try to run miners at full throttle and thereby provide a horrible user experience, and instead operate it at say 95% idle and only when I'm actively using the app. Although in practice I realize this is almost impossible to identify and enforce.
I'd much rather offer some limited amount of compute on my devices to support content creation on the web and than to offer my privacy and be subjected to subliminal mind tricks 24/7 as I'm forced to in the status quo.
[+] [-] niklabh|8 years ago|reply
[+] [-] Animats|8 years ago|reply
[+] [-] ramzyo|8 years ago|reply
[+] [-] jlebrech|8 years ago|reply
[+] [-] AnIdiotOnTheNet|8 years ago|reply
[+] [-] zitterbewegung|8 years ago|reply
[+] [-] slezyr|8 years ago|reply
3 quite big ukrainian web sites were found to use same script.
https://www.facebook.com/evg.bell/posts/1629626063766125