Salon Offers To Remove Ads If Visitors Help Mine Cryptocurrency
from the just-renting dept
As we've been discussing, the rise of stealth cryptocurrency miners embedded on websites has become a notable problem. In some instances, websites are being hacked and embedded with stealth cryptocurrency miners that quickly gobble up visitors' CPU cycles without their knowledge. That's what happened to Showtime recently when two different domains were found to be utilizing the Coinhive miner to hijack visitor broswers without users being informed. Recent reports indicate that thousands of government websites have also been hijacked and repurposed in this fashion via malware.
But numerous websites are also now exploring such miners voluntarily as an alternative revenue stream. One major problem however: many aren't telling site visitors this is even happening. And since some implementations of such miners can hijack massive amounts of CPU processing power while sipping a non-insubstantial amount of electricity, that's a problem.
The Pirate Bay for example was forced to stop using visitor CPUs and browsers to mine Monero last fall after Reddit users complained the miner was slowing down their PCs and eating up 80% of their CPU cycles. The website stated that it was simply exploring new revenue streams to keep the website afloat:
"As you may have noticed we are testing a Monero javascript miner. This is only a test. We really want to get rid of all the ads. But we also need enough money to keep the site running."
This week Salon joined the fun, informing users that they'd be happy to suppress advertisements if site visitors are willing to help mine cryptocurrency:
never seen this before: Salon now offers to "suppress ads" if you lease out your PC's "unused computing power" 🤔 pic.twitter.com/3oK78dPahN
— James Hitchcock (@JamesHitchcock) February 12, 2018
Creative exploration of alternative revenue streams is obviously necessary, and there's numerous examples where site-driven cryptocurrency miners could be used to help bolster scientific research. Salon pretty clearly understands this decision is controversial, offering up an entire website explaining how making money from journalism is hard, and the company needed to explore some new, creative solutions in order to stay afloat:
"Salon is instructing your processor to run calculations. Think of it like borrowing your calculator for a few minutes to figure out the answer to math problems, then giving it back when you leave the site. We automatically detect your current processing usage and assign a portion of what you are not using to this process. Should you begin a process that requires more of your computer’s resources, we automatically reduce the amount we are using for calculations."
That said, security researchers have similarly warned that this is a very slippery slope, and for every website that's being transparent about the process and respectful of the possible impact on computer performance, there're countless others who quite obviously won't give much of a damn about either. These are, after all, the same websites that are now engaging in ham fisted and annoying ad blocker blocking, frequently oblivious to how their own obnoxious ad decisions drove the rise of ad blockers in the first place.
As Malwarebytes researchers recently noted, there's no limit of websites that are already pushing their luck on this front:
"The question at this point is: How far can publishers push the limits towards a really bad user experience? You may be surprised that for many, this is not really a problem at all and that double dipping is, in fact, a fairly common practice...publishers ought to be more transparent with their audience because no-one likes unannounced guests. Unfortunately, there will always be publishers that care very little about what kind of traffic they push, so long as it generates good revenues; for those, cryptominers are just an added income to their existing advertising portfolio."
If implemented with respect for the end user and transparency, such miners may not be a bad thing. But bad actors could very quickly create an environment where users feel they're being accosted by sites that don't respect either, resulting in another layer of cat and mouse gamesmanship between sites publishers and readers. So while there's certainly potential here, escalating an already adversarial relationship in the adblocker era isn't likely to excite readers, forge community, or save journalism anytime soon.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: business models, cryptocurrency, journalism, mining, salon, transparency
Companies: salon
Reader Comments
The First Word
“Isn't this an oxymoron?
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
Isn't this an oxymoron?
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
its size is irrelevant to its being dishonest.
[ link to this | view in chronology ]
So, Site visitors are cows to be milked?
[ link to this | view in chronology ]
Re: So, Site visitors are cows to be milked?
Indeed.
People who think this crypo-mining is a great idea if sites get permission first aren't thinking ahead, don't understand the MAJOR security vulnerabilities this opens up, and how taxing it can be on your computer (as well as your electric bill).
First, if this ever catches on it won't be just 1 site doing this. You'll have multiple sites clogging up your computer and sucking up your resources at once. Chances are good your computer will become unusably slow and bogged down.
Second, if you can make someone's computer mine your crypo-currency, you can make their computer do all sorts of other bad things to through the same security hole. This is literally a hacker's treasure trove.
Third, running your computer full force like mining apps do isn't so good on your computer long term, nor is it good for your electric bill. Think of it this way, would your car last 10 years if you drove it at 100 MPH, or whatever it's maximum speed is, for 16 hours a day? Of course not. It would last longer at a more modest speed like 25 MPH, but that extra wear would still make it have a much shorter life. And then you'd need a lot of gas to keep your car running as I outlined in that example.
[ link to this | view in chronology ]
Re: Re: So, Site visitors are cows to be milked?
As I've said many times: if someone else can run arbitrary code on your computer, it's not YOUR computer any more.
So when -- not if -- WHEN a site like Salon is hacked, or its content delivery network is hacked, the new owners are free to use this mechanism to do whatever they want on your computer. They could mine whatever the next bogus cryptocurrency is. They could use it to run brute-force decryption attempts against passwords. They could download child porn into it and then attach it to a file-sharing network. They could...well, you get the idea.
And if these actions are performed by what is nominally your computer, who do you think will bear legal responsibility for them? Do you think that a court will listen to, let alone understand, let alone believe, the argument that what your system was doing while you sitting in front of it was completely unknown to you and in no way your fault?
(If you answer yes, then you really, really, REALLY should search Techdirt and the rest of the web for the name "Julie Amero".)
If Salon can't exist without ads (which are a cesspool of malware and privacy-destroying tracking) and it can't exist without hijacking user's systems, maybe it should just shut down.
[ link to this | view in chronology ]
Re: Re: Re: So, Site visitors are cows to be milked?
When people get used to computationally-intensive bog down on their systems, they won't be looking for a problem anymore. That means all sorts of badly designed regular malware might be ignored. It also means a hijack of the expected mining could be doing anything which is computationally-intensive. Like cracking encryption keys or brute-forcing passwords on a network that should be secure, or helping to DDoS the hell out of some target.
[ link to this | view in chronology ]
Re: Re: So, Site visitors are cows to be milked?
CPU scheduling limits/priorities/policies are an old technology. There's no good reason the computer should be "unusable".
It's a bad idea to run Javascript code, but there's no security hole being exploited here. If you allow scripting, this will run in the sandbox and not try to break out of it. (CPU-centric code like this is really easy to sandbox. Actual exploits come from complex interactions with DOM etc., not pure computational code.)
[ link to this | view in chronology ]
Re: Re: Re: So, Site visitors are cows to be milked?
I know at some point you just have to trust something or someone but voluntarily handing over control of a computer to a third party before it has been fully vetted is a very insecure practice.
Just remember spectre and meltdown. Those both exploited something that for years the world thought was safe.
[ link to this | view in chronology ]
Re: Re: Re: Re: So, Site visitors are cows to be milked?
On the other hand, legitimate, fuly-disclosed use of Javascript to crypto-mine on a website doesn't increase the threat envelope for anybody.
Either you already allow scripts from that site to run, in which case you're vulnerable if/when that site gets hacked to host malware. Or, you block javascript for that site already, in which case the site is largely non-functional. These states occur regardless of whether the site does crypto-mining in JS or uses JS to manage interactions between your browser and their site.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: So, Site visitors are cows to be milked?
If I'm reading what I see out of my browser right now, THIS site uses Javascript hosted at Akamai, Google, Twitter, Soundcloud, InstinctiveAds, Amazon, ISupportJournalism, and itself.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: So, Site visitors are cows to be milked?
And none of that shit uses Subresource Integrity. Lovely. Any of it can compromise the security (grab passwords etc.) of Techdirt readers who enable Javascript. And, as you say, try to break out of the sandbox to do worse.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: So, Site visitors are cows to be milked?
I'm only allowing scripts from Akamai, Google APIs, and Techdirt itself, and I can use the full functionality of the comment system, as well as see the Insider Chat box. The Soundcloud embed (or I assume that's what it is) at the top of the page doesn't appear to work, but then I don't want it to; I'd be happier if it weren't even there.
IIRC, even the Akamai permission isn't necessary; I'm pretty sure I've seen other Techdirt articles, just recently, where that wasn't listed in the source domains of present scripts.
I can indeed see scripts from Twitter and from other Google domains, but they aren't being allowed to run, and the site still works fine.
[ link to this | view in chronology ]
Re: Re: Re: Re: So, Site visitors are cows to be milked?
I fully agree with you. That's not the point. The point is that this specific thing does not resemble an exploit, and there's little reason to consider it a slippery slope to one. JS exploits exist already and have a bright future; some stuff like Rowhammer might not even be fixable in software.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: So, Site visitors are cows to be milked?
[ link to this | view in chronology ]
Re: Re: Re: Re: So, Site visitors are cows to be milked?
But I'm sorry to report, you're over a decade too late to complain about this.
[ link to this | view in chronology ]
Re: So, Site visitors are cows to be milked?
What do you mean "joins"? They were milking advertising revenue from their cows/visitors from the beginning.
[ link to this | view in chronology ]
Some of those publishers have already gone from offering merely annoying ads to intrusive ads, to ads that auto play f*cking sound and/or video the moment you open their site to ads that actually cover the content you're trying to read - then they whine about you using ad blockers to try to get at the content!
Can anyone really be surprised that "user experience" is secondary to revenue at this point. That's even before you get to the security risks associated with many of the ads, I'm solely talking about the experience of looking at the article.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
I don't want a f**king experience. I want to read something or buy a widget or schedule an appointment.
Second, credit to Paul Gardner for this concise summation:
"Trying to read articles online is becoming a pretty miserable experience when you spend so much time trying to battle ads and page adjustments. It's like trying to read a book where the text keeps moving and someone keeps slapping it out of your hands."
[ link to this | view in chronology ]
Re:
blink, deprecated
[ link to this | view in chronology ]
I've got an even better offer
I have an even better offer for you!
How about, you run ads and mine cryptocurrency in browsers, and in exchange I'll never visit your site ever again.
Ever.
Never ever.
Even if you change this policy, I won't know about it because I will not ever visit your site again.
This is a fantastic opportunity for you and I think you should take advantage of it. What makes this such a great offer is the fact that the internet offers so many choices of sites that one can visit to obtain information.
Sincerely,
[ link to this | view in chronology ]
Re: I've got an even better offer
A year from now, they'll be shouting from the rooftops (again) that they've dispensed with their user-hostile behavior (again) and everyone should come back. Or they'll be dead. Either way I'll be laughing and laughing.
[ link to this | view in chronology ]
Really, *Salon*?
The popup asks users to "consider" unblocking ads, as if it's optional, but it looks like you're forced into 2 unpaletable options... or leaving completely. And are they forgetting their history:
Also, the FAQ has clearly not been copyedited, because they make the mistake of using "opt-in" where it should be "opt in" (verb form): "If I opt-in, will I see ads?". This does not make a good first impression...
(That said, the content is loading fine for me. Maybe the "third option" is to disable Javascript.)
[ link to this | view in chronology ]
Yeah, that's not even close to what is going on here. Salon doesn't offer to do anything; if you don't have an ad blocker, you don't get the pop-up, but if you do then you are blocked from reading the site until you either turn off the your security extension (the ad-blocker) or agree to let Salon run the miner in your web browser.
That is not an "offer", and Salon doesn't actually block ads (visitors are doing that). What Salon is doing is issuing an ultimatum.
P.S. According to my readers, if you have a JS blocking extension then Salon's trick doesn't work.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Stop bad ads
If data tracking and demographics targeting is so important to advertisers, then the ad companies themselves need to offer this service themselves for advertisers. There needs to be an end to allowing anyone on the internet to write a script that only HALF the time delivers malware when the ad companies aren't looking.
[ link to this | view in chronology ]
Re: Stop bad ads
You might then enable them, but I wouldn't. I don't ever want to see banner ads. I might download them and not display them, so it looks good to their advertisers, but my ad-blocker removed that feature and I can't be bothered to add it back.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
LMFTFY....
Explaining why with the passage of decades of declining revenues and growing executive pay, they haven't bothered to consider the model is flaw in the current marketspace, instead they have decided that the blockchain will save them!!!!!!
[ link to this | view in chronology ]
How about I just don't turn off the adblocker and keep noscript from letting this cryptominer get started?
I don't think any site is so exclusive that those that won't show their content without java a place I need be. All it tells me is to go search for another site without that issue.
Until ad companies clean up their act, I'm not allowing any ads shown. When I get malvertising, they don't want to talk to me or anyone else with that problem, you on your own. If the hours it takes to clean my system is on me, so is the cure.
There's a reason why ad blockers have become popular. Ad companies have pulled too many sneakies in the past.I sure as heck don't trust them or any site pushing ads now.
[ link to this | view in chronology ]
Browsing the internet while rendering an image
I actually use my computer's processor to render images of digital models. This means the rendering software will take 80-85% of my CPU usage, usually for about an hour or two.
I use this time to browse the web and read interesting stories. I sometimes load up 5 or 6 tabs with stories to read just so Firefox doesn't have to load any pages, then I started rendering an image.
So what happens to people like me who are already using their processor? Will Salon work if its crypto-miner can't run any calculations because there's no free CPU cycles? Will I get a pop-up saying to free up more CPU or the site won't load the rest of the page?
[ link to this | view in chronology ]
Re: Browsing the internet while rendering an image
It's the other way 'round. The page loads, and then if Javascript is enabled it will bring the popup to prevent you from reading. Just kill all scripts once the content is there, or disable/block scripts to begin with, and you'll be fine.
There's no minimum mining requirement either, but if you renice your browser to avoid this CPU hog the whole thing is likely to be slow (scrolling etc.), unless you seek out the JS thread(s) and only renice that.
[ link to this | view in chronology ]
Hang on! Universal fix coming soon! -- HTML5, chock full of DRM will make BOTH advertising AND "mining" unavoidable! Long while back, TD jeered my notion that version 5 is sheerly for advertising, and you'll still jeer because...
... knee-jerk gainsayers, but won't change facts.
BTW: a few months back, was reported that Google's Chrome would remove advertising EXCEPT that from Google.
Teh "free" internets and "don't be evil" stage is over, now you're going to get all the corporatism you deserve: ruthless and unavoidable, while spying on your every action, anything typed, permanent tracking cookies, web site history and stats, mouse / finger movements, page position, noise in the room, and even direction of your eyes by way of the cameras.
So I quote John Galt: Brothers, you asked for it! -- Every time you let masnicks get away with asserting that corporations have First Amendment right that's superior to yours, you BEG to be ruled by corporations.
[And actually, even advertising isn't the ultimate goal: HTML5 is another big step toward total surveillance.]
[ link to this | view in chronology ]
Re: Hang on! Universal fix coming soon! -- HTML5, chock full of DRM will make BOTH advertising AND "mining" unavoidable! Long while back, TD jeered my notion that version 5 is sheerly for advertising, and you'll still jeer because...
Well, according to Common Law, a bird in the hand is worth two in the bush, so there.
[ link to this | view in chronology ]
Re: Hang on! Universal fix coming soon! -- HTML5, chock full of DRM will make BOTH advertising AND "mining" unavoidable! Long while back, TD jeered my notion that version 5 is sheerly for advertising, and you'll still jeer because...
[ link to this | view in chronology ]
Re: Hang on! Universal fix coming soon! -- HTML5, chock full of DRM will make BOTH advertising AND "mining" unavoidable! Long while back, TD jeered my notion that version 5 is sheerly for advertising, and you'll still jeer because...
False. Intelligent people will just avoid the places that do that.
Although, I'd laugh my ass off if Mike could implement something that targets your IPs and makes sure you mine currency for him. You've just stated you see nothing wrong with people doing that, after all.
"BTW: a few months back, was reported that Google's Chrome would remove advertising EXCEPT that from Google"
Don't like it? Use a different browser. There are many competitors.
[ link to this | view in chronology ]
Re: Re: Hang on! Universal fix coming soon, on the outside of the tracks, you take 'em, the same old babies with the same old toys, the neighbors screaming when the noise annoys, somebody naggin' you when you're out with the boys.
I don't agree with equating online savvy with intelligence. Lots of intelligent people aren't aware of what's going on with the JavaScript on a given website. Hell, even reputable websites have been known to accidentally serve up malware through their ad networks.
None of which has a damn thing to do with HTML5; Blue is, as always, an idiot, and, as always, has no idea what he's talking about. HTML5 does allow for DRM in video and audio content (and people a little more literate than Blue will have noticed that Techdirt believes that this is a bad thing), but that's got nothing to do with running code. DRM may indeed introduce security vulnerabilities, but it certainly doesn't make cryptocurrency mining unavoidable, because, uh, it has fucking nothing to do with cryptocurrency mining. Browsers run executable code through JavaScript, not HTML.
Neither does HTML5 make advertising inevitable. DRM'ed video isn't any more "inevitable" than DRM-free video. An autoplay video is an autoplay video, with or without DRM. There are ways of blocking videos from autoplaying, and many browsers now have autoplay disabled by default and prompt the user to turn it on on a per-site basis.
tl;dr add web browsers to the extensive list of things Blue lacks a basic understanding of but still has very strong opinions on.
[ link to this | view in chronology ]
hypothetical
[ link to this | view in chronology ]
Re: hypothetical
The answer is quite possibly “no different at all”. Unless the site owners (let alone the users!) of a modern script-heavy site have taken the time to check the multitude of (probably obfuscated) JavaScript they run for vulnerabilities, questionable requests and even suspicious busy loops, pretty much anything could be running in a user's browser. Clearly most site admins aren’t doing much checking.
As other commentators have noted, a browser’s sandbox cannot prevent a script from doing arbitrary number crunching. Mining blockers like NoCoin block known mining scripts, but this blacklisting approach can’t stop “trusted” (but compromised) scripts from mining while ostensibly sliding widgets around.
The popular computing world accepts that a modern Web browser must run every piece of JavaScript thrown at it. Correspondingly, Web browsers have become enormously complex programs with code-line counts on the order of entire operating systems, which users must, nevertheless, trust to protect them from tons of arbitrary code. And the Web development world has decided that more, not less JavaScript is the solution to their customers’ problems. I think it’s fair to say that no one has a clear idea what’s going on when they use the modern Web.
[ link to this | view in chronology ]
Re: Re: hypothetical
And, the minute we allow any form of recursion, the problem of bounding the behavior of the programs we load becomes insoluble.
As an end user, I need to be able to (without too much inconvenience) limit the amount of damage any given browser tab can do and control it. My! That looks a lot like what my OS needs to do with programs, too!
[ link to this | view in chronology ]
Re: Re: Re: hypothetical
That what Qubes OS, or Linux Containers do.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
TANSTAUCP
Allowing Salon to run a crypto-miner will cost you at least some electric power, and therefore money.
Ads will also cost you money, because they nudge you into buying stuff you don't need. Both propositions (ads and miners) are hypocritical in this regard.
[ link to this | view in chronology ]
The Last Word
“I've got an even better offer
Hey Salon,I have an even better offer for you!
How about, you run ads and mine cryptocurrency in browsers, and in exchange I'll never visit your site ever again.
Ever.
Never ever.
Even if you change this policy, I won't know about it because I will not ever visit your site again.
This is a fantastic opportunity for you and I think you should take advantage of it. What makes this such a great offer is the fact that the internet offers so many choices of sites that one can visit to obtain information.
Sincerely,