
Because you can't be arsed
As it turns out: not everyone runs Windows. There are a few Unix styled boxes around, some are fruity but the rest are useful.
Miscreants have found a way to continue running cryptocurrency-crafting JavaScript on Windows PCs even after netizens browse away from the webpage hosting the code. Researcher Jerome Segura of Malwarebytes said on Wednesday his team discovered scumbags had written some custom code to keep Coinhive's freely available in-browser …
But if you read the article, you'll note that the process itself is mostly platform-agnostic. It's just that the "secret" window may find it harder to hide in unfamiliar territory, but given that most systems possess some kind of taskbar or analogue, browser fingerprinting can potentially allow it to hide virtually anywhere. Failing that, it could try to find ways to position the window along an edge so only a very obscure line would be visible.
Given that this coin mining software will need to be run across millions of devices to be worthwhile, why would anyone take time out to find a way to secretly run it on a unix box, when the same amount of time and effort could be spent getting it to run on Windows machines, thus reaching an audience probably at least 100 times larger?
"why would anyone take time out to find a way to secretly run it on a unix box"
It's written in Javascript so no effort at all is needed to make it run on a Unix box. The browser provides the platform. Pop-under windows are also a feature of the browser so what works on the browser on one OS is going to work on another.
Noscript is your friend.
"Given that this coin mining software will need to be run across millions of devices to be worthwhile"
Actually with the curent trading price of monero you could probably get a fairly decent return from anything above 500 machines.
Generally I believe coinhive say that the to make it profitable vs adverts you need around 2000 users spending 10-20 mins on your site (Its been a while since I read this so it might not be accurate still) so if you can trick users into running the script for a few HOURS then you will need far fewer people.
… to run NoScript properly configured.
No platform is immune from evil on the Internet. Worst is 3rd party domain javascript, esp. in adverts. BBC and CNN have served malware.
When will Advertisers and Webmasters / owners learn? Anything other than the same URL for everyone image and a link is evil.
I found that out yesterday, thought I'd got some kind of infection that all of my security/protection had missed.
Nope... just the fact that NoScript 10.1.3 was the culprit... I returned to 10.1.2 and everything was fine again... after double checking and comparing to another system that doesn't get firefox updated as often.
Today after retesting this afternoon after a fresh boot... all is good again and 10.1.3 works once more... But I am having to relearn some sites... once of which was an internal one to my mediaserver.
Yet the same trick works on Linux and everything else too.
+ Although proly not on a Tiling Wm.....
...well, not unless you've set your browser to Float all the time.
+ Many 'Linux Desktops these days have unmovable panels that nothing can hide under (Gnome, Unity).
+Then there are the hard-asses that have gone desktop comando (no pants, erm, panels whatsoever)....
Even without a taskbar, it may be possible to "shade" the window by putting it right on the edge so you'd have to spot a very thin line in order to know the window's there. Actually, a taskbar will be of help here since it can make you aware a browser window's still open.
"Actually, a taskbar will be of help here since it can make you aware a browser window's still open."
a good point. There may be a way to have it display "iconless" though. I haven't tried. But if it's a top level window, it will most likely be in any task bar that has icon windows listed in it.
I run Mate with the upper panel having the CPU monitor in it. If I see unusual CPU activity, I typically kill that application and re-start it. Usually it's Firefox, due to garbage collection and being left open on 7 virtual desktops with 20 or 30 tabs for days or weeks on end. Sometimes it's something else. but if you see consistently high CPU usage, it's often a problem with the application. And if it's bitcoin mining, THAT would put a stop to it REALLY QUICK.
That, and running 'NoScript'.
The original "task bar" (start menu) in Windows was designed to be at the top of the screen however I understand that Microsoft Legal stepped in as this could have caused them some serious problems if manufacturers of other OSes complained. There may also have been design considerations where menus were stacked together, as in the OS shell menu and an application menu however as the task bar was designed to be very different to an application windows's title bar I don't really see this as an issue.
It was almost certainly a last minute change and as a result of this, and doubtless and bit of obstinancy, it was possible from the outset to put the menu back in the designed location, the top of the screen, even if the default was set to the bottom.
When you think about the original Windows start menu being located at the top of the screen it makes considerable more sense as the first thing on the start menu really shouldn't be shut down as this was entirely the reverse of common sense and all existing menus. The All Programs folder would have been at the top and Shutdown/Exit at the bottom which also made a lot more sense.
Top of screen makes most sense. I have my programs menu and running applications panel there on autohide and autowidth. Less easily triggered visible as it's near title bars. I have autohide panels on the three other edges:
Left: Local look up stuff / management (Calibre, Control panel, Filemanager)
Right: Remote stuff (FTP/SFTP, Browsers, email, Shh, chat etc)
Botttom: Like applications, it has status (CPU, Keyboard state, Network state, USB manager, Bluetooth etc).
Easy to do on Mint + Mate and save for all users. Windows has become horrible with its pinning and unreadable flat icons and poor customisation, like back to Windows 1.0 and 2.0. The 3.11 was better, you could even make a desktop window like a pinned taskbar menu!
As we are getting wider/narrower screens all the time, the best place for me is at the side in some of the waste space that I now have. I prefer it on the ,left for the same reasom that I prefer to drive there - I'm mostly right handed. YMMV on that.
"Just 20 years after Microsoft gave us the capability, at last there's a reason to do it.
Unfortunately it would mean relearning 20 years' worth of muscle memory and habit - but hey, nothing's for free, right?"
I have mine set to auto hide anyway * , no changes to muscle memory needed as when the mouse moves down its there.
* I dont like the clutter!
The apocryphal version I heard was that there were no Windows 3.1 apps that had an issue with screens being different sizes, there were some that had issues with the origin of the user-interactable area not being (0, 0), and the coordinate system was a shared and exposed resource with no coherent way to offer different versions to different apps.
So the start bar went at the bottom because there were too many significant apps that either assumed the top left was (0, 0) when maximised or had a bad habit of spawning new windows at (0, 0), no coherent way to lie to them about the coordinate system, and too many edge cases in every attempted kludge.
But unless and until I read it on something like Raymond Chen's excellent The Old New Thing, I'll continue to take that alleged version of events with a pinch of salt.
I'm old school
Like chess-by-mail, I do the internet by correspondence.
I am currently waiting for a ping letter...
Read that as Cheese by mail
...If it sounds like a good idea, I've got dibs...*
'How are we on tilsit, red leicester, Venezualan beavers cheese'...
* Yes, the website will be playing bouzouki music
NoScript helps here, but be careful. Some of these popups are actually gates, meaning blocking them means you can't proceed.
Also, I'm not too pleased with the script requirements for that homepage. For a site that touts protecting privacy, they don't adhere to privacy-protecting KISS principles.
@ lglethal
You could trade off the new features of 57 for an older version where extensions still work properly.
It's a trade off in using old version (where all your plugins happily work) vs. not having latest version & so not all security related patches. An awkward call, I prefer older version as I have more control over the browser (& when a must have security patch appears I'll switch to a Firefox fork that supports old style extensions but has security patches). I'm loyal to my "must have" extension functionality rather than any particular browser
Unfortunately, I have noticed the speed gain in 57. Maybe its not huge but the fact that it is noticable at all says quite a lot. So I'm reluctant to go back to old Firefox.
As such, I am pretty much looking for something else other than NoScript as I'm not overly confident that they will be able to turn it back into a user friendly interface. The old "trusted/untrusted/default to untrusted/temporarily allow" combination was intuitive and easy. I taught my mother to use it in 5 minutes with ease (and it has sense saved me a ton of malware call-outs!). But this new Version - where trusted doesnt really mean trusted it means trusted to do certain things and maybe only on https or maybe not, and untrusted does not necessarily mean untrusted and Default can mean something else entirely. My mother is not going to understand why she should (for example) allow scripts, but not fetchs. I'm all for giving advanced users and those who want fine grained controls to have them in the advanced Options, but forcing that on every day users. gahh...
Sorry end rant... ;)
uMatrix. It lacks some features (though I think a lot of those are also missing from the WebExtensions version of NoScript), but the javascript blocking is the same, in fact uMatrix had the more granular control of blocking cookies, scripts and frames before NoScript and has a much simpler interface for it.
The article seems to be saying that these pop-unders are running out of sight when users close all the visible windows in the browser, but don't close the browser itself. So..... exiting the browser and not just xing the individual windows is all that is needed to be sure. Probably a good idea anyway - especially if you've been to web sites likely to have hidden nasties.
And if the browser is still running, wouldn't it still be showing at the bottom of the screen?
"Exiting the browser", as in using the File -> Close menu item, generally doesn't do anything more than close the current window. A pop up/under window is usually another instance of the browser and therefore a different process which is unaffected by closing a different instance to it. Closing a window will close all the tabs in it - although Microsoft are doing their level best to break this standard as much as possible in IE/edge of course.
Yes, the symptom will be that you have no visible browser windows open however you may notice one in the OS's task bar. Some OSes, such as Windows Vista and 7, particularly in non-aero mode, make noticing whether or not an application is running or if it's just a launch icon very difficult. An application usually has to register a window with the OS's shell user interface in order to show as a switchable task, as a result it is relatively easy to hide a running task entirely - this does vary between OS shells though.
> "Exiting the browser", as in using the File -> Close menu item, generally doesn't do anything more than close the current window.
Which platform? Mine has File > Close Tab (Ctrl+W), File > Close Window (Shift+Ctrl+W) and File > Quit (Ctrl+Q) so there should be no confusion, apart from Ctrl+W and Ctrl+Q being inconveniently close together on a QWERTY keyboard.
"Wish there was a way to redirect the script so it runs on their server and see how they like it."
To be fair when its done properly and with the users permission instead of ads its pretty good, the users don't get distracted by ads and the site owner still gets some income.
The issue is when the site has been compromised and the site owner is not aware that it is happening, in that case your suggestion hardly seems fair as the server would just belong to a completely innocent party.
This is probably going to get me downvoted to hell, but I just want to explore the idea...
We're all sick of adverts on our websites. We all hate ads and the free-to-play model in our mobile apps and games. But the fact remains that devs, hosting, content providers and all the other resources do need to be paid for, which leads us to where we are now.
What if on a website, alongside the "this site drops cookies" message, there is another notification, something like "this site needs to pay its way, so rather than put up a paywall or bombard you with ads, 10% of your processing power will be used to mine crypto - using the site means you agree to this". Or a similar message on the start screen of an app, with the possibility of increasing CPU allocation used for mining in place of currency-based in-app purchases.
What if someone tried to use this as a legitimate business model? Rather than having to hide behind pop-under windows, be up-front and say "hey, we're doing this so you don't have to pay or deal with crappy ads!"
Colour me curious...
This is exactly the purported reason for coinhive in the first place. However, the developers naively did not consider that it would be abused by every malware miscreant on the planet.
They no longer support coinhive and now have a fork that will not run without user authorization, but the genie has been let out of the bottle, the horse has left the barn, the chickens have flown the coop, Pandora's box has been opened, etc.
The better model I think (and it's one which is heavily promoted by CoinHive) is mining as a catcha replacement. Go to sign up for a free site and instead of saying "click to prove you are not a robot" it says "click here to mine a tiny amount for us, if you're a robot that's fine, we're still getting paid."
I would immediately close the browser window and never go back to that site.
Problem is, one day you may not have a choice but to never go back to that site, or many others.
Advertising kinda works, but as more and more people get sick of ads and find blockers, advertising gets less effective.
Hosting sites costs money, although widespread fibre is making home based hosting faster - but there are significant security considerations.
As advertising dies (Yay!) there'll have to be other ways for sites to pay their way. Some will use paywalls, some will use donations, many will disappear. We may soon find a situation where much of the web requires some form of payment to proceed.
I'd love it if El Reg were to do something like this, and a few of other sites I like. I'd happily keep a tab open for each, let them mine to their hearts content (well, as much CPU as they can get from me anyway). )
All the cryptomining perps have to do in the next round is give the mark a compelling reason to leave the window open. Social Media? Stock Monitor? Hugely clever customisable notification solution? Or perhaps the next big thing that makes absolutely no sense to anyone over forty?
It's another arms race.
If they do that (and make it clear that's what they're doing) then it's absolutely fine.
If they're providing me with something of so much value that I want to leave it open all the time, it's perfectly reasonable that I should provide them with a bit of mining time. The current situation is a problem because a domain squatter whose site I don't actually want to see at all might be able to trick me in to mining for him.
https://github.com/hoshsadiq/adblock-nocoin-list/
on linux OS or routers powered by linux OS just edit: /etc/hosts
if on windows then just edit: windows\****\drivers\etc\hosts
Restart your machine after applying changes on your hosts file.
You're welcome.
Ancient shitty websites (like the HR one we have where I work (hence AC)) will pop up a calendar in a new tiny window when you try to select a date. So there are some reasons to allow it. Disallowing that behaviour would break a lot of old sites, even if those old sites were standards compliant, so browsers can't really do it, certainly not be default.
Every browser I have used in the last decade has had a pop-up blocker enabled by default. I have seen sites that get around this by implementing a pop-up within the same window, but that is not what this is. I don't really use IE anymore, but it has a pop-up blocker too. Is it not enabled by default?
Don't worry guys HTTP 2 will fix this. There will be no way for someone know what is running in the browser (hello binary) and no way to block things that are listed as mandatory. Now these pesky users can't turn off your crytpo miners at all.
I love technology. It's not paranoia when everyone really is out to get you.
I haven't installed a new browser in a while. One without an accompanying user.js for even longer.
But I had the impression that popups were disabled by default these days and you had to give explicit permission if you wanted a site to show one? I take it that's not the case?