Showtime Websites Are Mining Monero With Your CPU, Unclear If Hack Or Experiment

An anonymous reader writes: Two Showtime domains are currently loading and running Coinhive, a JavaScript library that mines Monero using the CPU resources of users visiting Showtime's websites. The two domains are showtime.com and showtimeanytime.com, the latter being the official URL for the company's online video streaming service. It is unclear if someone hacked Showtime and included the mining script without the company's knowledge. Showtime did not respond to a request for comment, but it could be an experiment as the setThrottle value is 0.97, meaning the mining script will remain dormant for 97% of the time. Despite this, Coinhive has been recently adopted by a large number of malware operations, such as malvertisers, adware developers, rogue Chrome extensions, and website hackers, who secretly load the code in a page's background and make money off unsuspecting users. At least two ad blockers have added support for blocking Coinhive's JS library -- AdBlock Plus and AdGuard -- and developers have also put together Chrome extensions that terminate anything that looks like Coinhive's mining script -- AntiMiner, No Coin, and minerBlock.

The Pirate Bay recently ran tests using Coinhive. A recent report has calculated that a site like The Pirate Bay could make around $12,000 per month by mining Monero in the background.

Re:

[MightyYar]

Naw, it's good he posted this. I would have no idea what the crazy conspiracy people have moved onto if not for posts like this.

Still think NoScript is optional?

[Anonymous Coward]

Firefox, you will be missed.

Re:

[Rakarra]

See subject & https://tech.slashdot.org/comm... [slashdot.org] [slashdot.org] - NoScript's inferior & inefficient vs. hosts (noscript & addons have overheads FAR beyond hosts + operate in slower usermode (vs. hosts in faster kernelmode)). No SINGLE addon does as much (& for FAR less resources), no questions asked!

I like host-based approaches, but what if the website itself serves out the malicious/inefficient/junk JS? I'd like to be open to open a website without its javascript crap firing off, so I feel like I still have to enable NoScript. Worse, I'd like to enable things like googleapis but only if certain websites request them, but NoScript just lets you + or - googleapis completely. IE, if I enable it, then both goodsite.com and badsite.com automatically get to use them, and I don't know any way around that at

The site doesn't make money. Users lose money.

[Anonymous Coward]

A recent report has calculated that a site ... could make around $12,000 per month by mining Monero in the background.

It's not really a case of the site making money. They haven't actually produced anything of real value, so wealth hasn't been created. All they've done is consumed the computing and electricity resources of the site's users, and converted them to an entry in some distributed database. Overall, it's a net economic loss. Resources were consumed without producing anything of value.

At least advertising, as shitty as it is, can potentially result in a sale, which is an example of actual wealth creation.

Re:

[Rick Schumann]

This is one thought I immediately had: So far as I know, it takes some serious computing power to 'mine' any sort of cryptocurrency; dedicated, FPGA-based platforms have been purpose-built for it. Direct machine code running on a general-purpose CPU is a pale substitute for this, and Javascript is slow and bloated compared to that, and the code would only be running so long as you had a webpage open? I have a hard time seeing how it would 'mine' much of anything.

Re:

[SScorpio]

Monero the coin being mined is supposedly optimized so that CPU or GPU will produce similar hash rates.

The Showtime websites this is placed on are where people stream pirated TV and movies. So visitors sit on them for 30 minutes to two hours on average.

I don't know how many people visit those sites, but it could easily be in the thousands to millions. Who knows how much money can could make off this.

Re:The site doesn't make money. Users lose money.

[Rick Schumann]

The real question is, I guess: Is this better or worse than ads? Pretty much everyone hates ads. This, ostensibly, would run silently in the background. If you're informed it's happening, and making a very broad assumption that there isn't going to be any malicious code being executed (implies they protect it from being hacked/repurposed into something malicious) is it a better solution for funding websites instead of ads?

Re:

[ctilsie242]

I wonder if websites might move to a proof of work model, where their miner would have to execute for n cpu cycles for access to pages to be granted. I can see this becoming an alternative to advertising, especially with smartphone CPUs so relatively fast.

Re:

[Rick Schumann]

Again, if it were I implementing this.. I probably would detect it being on a smartphone and not have it execute at all, or at most have it be 'opt in', simply because something like this would kill a smartphone battery in nothing flat, maybe even compared to playing HD video. They'd be offered a choice of paying a subscription fee or pay-per-use fee instead.

Re:

[Rick Schumann]

If they did something like that, they'd take what might have been a good replacement for annoying ads, and made it into something even more annoying than ads: making you sit there and wait, perhaps watching some inane countdown or 'progress bar' for something that the vast majority of people wouldn't understand. All I'm saying is, if it were I who were implementing this idea, I'd make it clear in the Terms of Service for the affected site that it's happening (perhaps with a one-time pop-up notice informing

Re:

[Rick Schumann]

Okay, what if they offered you three versions: (1) You pay a subscription fee or per-use micropayment. (2) You get 'traditional' ads. (3) You get the cryptocurrency mining javascript. All the above are opt-in, fully informed, never opt-out. Saying "I don't like any of the above, why can't I access the site for FREE?" means you're denied access to the site entirely; you must choose one of the three options.

Re:

[Khashishi]

Users will just block it either way.

Re: The site doesn't make money. Users lose money.

[LocalH]

You do realize that Showtime is a premium network, and sites in question are legitimate, correct? Nobody is watching pirated content at either of those URLs.

Re:

[swb]

I don't know how much fractional value you can mine from a single session, but assuming you can build out the distributed computing network even a fraction of a cent multiplied across millions of users starts to be real money.

Getting $0.01 of value out of a million users is still $10,000 per day.

Re: The site doesn't make money. Users lose money.

[AvitarX]

Well, they estimate the pirate bay can pull $12,000.00/month.

I'm not sure what their costs are, but it seems like best case scenario is a modest income for one person. Maybe showtime can do better as people watch there too?

Re:

[indi0144]

Thats... thats not how it works. Theres no fractional gain in mining unless you are part of a mining pool. AFAIK you only get your share if you find one block, if you are mining alone all the block reward goes to you, if it's found by a pool its shared across the participants relative to the amount of work they provided.

But as far as I've been reading, crypto mining is dead, its been dead for months only profitable for the mining farms in Asia.

Latest ASIC miners are not reaching ROI within 2 years, for exam

Re:

[bluefoxlucid]

Entertainment is bad, and we should all work to produce boring but necessary things.

So, you're Mormon?

Re:

[Qzukk]

That, or a Marxist. Time wasted on frivolities means less that can be taken from you according to your abilities.

Re:

[bluefoxlucid]

They haven't actually produced anything of real value, so wealth hasn't been created.

Why are people consuming the site's content?

Re:

[Anubis IV]

My (admittedly limited) understanding of cryptocurrency mining is that it actually does produce value, in that the mining process itself is what's responsible for distributing, verifying, and otherwise maintaining the blockchain on which the currency is built. Which is to say, miners are the ones facilitating the use of the currency. It's actually part of what makes cryptocurrencies work so well, since the very act of maintaining the currency is both distributed and incentivized.

All of which is to say, mini

Re:

[PopeRatzo]

All of which is to say, mining isn't just a matter of spinning one's wheels without purpose. It produces value for the people making use of that currency.

Based on your description of how virtual currency mining creates value, then couldn't we also create value by adding a zero to the end of our bank balances?

Or more specifically, by having only people with fancy computers add a zero to their bank balances.

Re:

[Anubis IV]

No, because in your example there's no correlation between the people adding 0s to their bank account and the people facilitating financial transactions. You're talking about paying people for doing nothing to aid the operation of the system, whereas I was talking about paying the people who facilitate the operation of the financial system.

If you'd like an actual example of this sort of thing in the real world, look no further than banks, ACH, and other financial institutions who facilitate the transfer of

Re:

[PopeRatzo]

No, because in your example there's no correlation between the people adding 0s to their bank account and the people facilitating financial transactions.

Sure there is. If you add a zero to my bank balance, it will facilitate many more financial transactions by me.

You're talking about paying people for doing nothing to aid the operation of the system, whereas I was talking about paying the people who facilitate the operation of the financial system.

In terms of productivity, those two things are exactly the

Re:

[Anubis IV]

Sure there is. If you add a zero to my bank balance, it will facilitate many more financial transactions by me.

Well, given that I said I was talking about "facilitat[ing] the operation of the financial system" and that you are not the financial system, I think it's safe to say that you're talking about something wholly separate. In fact, if you engaged in more financial transactions, it would place additional burden on those who are facilitating the system's operation, and if you intentionally twist terms in a disingenuous way like that again, I'll be done with this discussion.

In terms of productivity, those two things are exactly the same.

If you live in an agrarian society, per

Re:

[parkinglot777]

A recent report has calculated that a site ... could make around $12,000 per month by mining Monero in the background.

It's not really a case of the site making money. They haven't actually produced anything of real value, so wealth hasn't been created. All they've done is consumed the computing and electricity resources of the site's users, and converted them to an entry in some distributed database. Overall, it's a net economic loss. Resources were consumed without producing anything of value.

At least advertising, as shitty as it is, can potentially result in a sale, which is an example of actual wealth creation.

Hmm... Your post reminds me of someone in economic field. You are looking at something that has no value means no loss in value (but in net economic). However, that is not really true with non-tangible product. In other words, no value is produced does not mean no wealth created at all. In this case, results from hash computation actually has value even though it doesn't find the combination.

Think of it as if you have to look through 1,000,000 boxes to find a mark. If you could eliminate 100 boxes that you

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

I have no idea how anyone can browse the internet without a script-blocker and ad-blocker.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[murdocj]

I don't use a script blocker and do a bit of ad-blocking. If a site slows me down, I close it. Problem solved.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[murdocj]

Yeah, it's only worked for 10 years. If I really wanted to be safe, I guess I could telnet to websites and just pick out what I wanted from the readable text.

Re:

[account_deleted]

Comment removed based on user account deletion

Doing it sleathily is wrong, but perhaps...

[Bugler412]

Doing it this way, unannounced and underhanded is wrong. However, if done in an upfront and informed way I would likely accept some form of low impact mining on my PC while consuming content over most forms of advertisement.

Re:

[bluefoxlucid]

That was my first thought, followed by, "Oh wait, bitcoin et al aren't sustainable."

Re:

[middlehead]

As a replacement for advertising, sure. But not from something like Showtime that I'm presumably paying for.

Re: Doing it sleathily is wrong, but perhaps...

[AvitarX]

Does the pirate bay really get less than $12,000/month in advertising though?

Remember kids...

[RyanFenton]

Never browse without properly community-maintained ad blocking and script blocking.

And if any company complains about not being able to 'serve' you properly as they'd like to... add a request to have that complaint blocked.

Ryan Fenton

Re:

[IWantMoreSpamPlease]

Heh,

My corp firewall lists your program as "malware"
Not saying it's right...but I find that funny all the same.

Re:

[Anonymous Coward]

No pro would use your stuff. You made a couple of little programs that someone who had a bit of programming knowledge and an AAS networking 1 class, or a bit of programming knowledge and the wikipedia page on fat32 could make. If you have ever created something other than your hosts file engine, really dumb name btw, or your defrag program please list them because all I have seen you hold up as examples are those dumb little things and nothing else. Maybe their firewall is protecting them from your stalking

Re:

[IWantMoreSpamPlease]

Bluecoat. Was a McAfee program, now owned by...Symantec I think.
And it's quite difficult to "show" you a screencap of BC telling me what it thinks of your file, if I can't send it to you, because you won't post an e.mail or owned website here...

Voluntary mining would be fine...

[EndlessNameless]

I would gladly donate CPU time to support a site instead of viewing ads.

I might even idle my browser there---if it doesn't affect anything else I do. They really need to have a light touch though.

And, it should go without saying, but no mining on mobile. If I have to choose between bandwidth for ads and battery life, I'll take the ads.

TULIPS! TULIPS!

[Anonymous Coward]

OMG tulips! Tulips, everyone! Oh shiiiiiiiiiiiiii-

Am I missing something?

[Anonymous Coward]

Before I swung by slashdot, I hit TPB and fired up my download of Star Trek. I haven't paid TPB for anything, and I'm not about to sign up for their VPN, or stay up all night playing "The most addictive game of 2017". But TPB has provided me with a valuable service, and for that, I am more than happy to throw them a few spare CPU cycles.

Thanks guys, keep up the great work!

Terrible way to fund sites

[FeelGood314]

CPU mining has a return of between 1 and essentially 0% depending on the currency and the price of electricity. Best case scenario, you leave you web browser open for two days, you consume $1 of extra electricity and the web site gets $0.01. Unless the browser could leverage your GPU, you live in Quebec (cheap electricity) and it's winter so you are heating your house with the GPU, this is never going to make sense.

Re:Terrible way to fund sites

[johannesg]

CPU mining has a return of between 1 and essentially 0% depending on the currency and the price of electricity. Best case scenario, you leave you web browser open for two days, you consume $1 of extra electricity and the web site gets $0.01. Unless the browser could leverage your GPU, you live in Quebec (cheap electricity) and it's winter so you are heating your house with the GPU, this is never going to make sense.

It makes perfect sense if it is other people paying for the electricity...

Not the case with Monero

[Anonymous Coward]

The hashing algo used by monero needs a fair amount of super fast memory (think CPU L2 or L3 speed). Its not efficiently minable with GPUs or ASICs.

Depending on electricity cost, consumer level CPU mining can be profitable. Even better if using someone elses electricity.

Re:

[johannesg]

OK, I'll bite. Who is paying for the electricity in your house if it isn't you?

_I_ am paying for the electricity. The _website_ is getting the money. So for them it's free.

What does that mean? Well, for one thing, that the web we knew and loved is _over_. Just like how every website loaded up with as much ads as they could possibly fit, now they will load up with as much mining as they can. Which means that opening a webbrowser, in the near future, will guarantee a CPU load of 100%, no matter what you're doing, with every page you open fighting for its unfair share.

There will be count

Basic economics issue

[sfcat]

Bitcoin mining has been done by custom chips for at least the last 5 years. The economics of mining are that you convert electricity into currency at some rate that is efficient (ie the value of the electricity < value of the coins mined). CPU mining of bitcoin is at least 100x less efficient than the custom chips used by miners. For other currencies (ie Litecoin like currencies), its either custom chips or graphics cards (I think the graphics cards have been squeezed out of there too) which are at le

Re:

[corychristison]

CoinHive [coin-hive.com] is mining Monero [wikipedia.org], which does not benefit from custom miner hardware.

Re:

[indi0144]

Yes but the difficulty is so high (and Monero the coin so stagnant) thats not really worth it. Theres always newer and fresher coins to mine tho, but most crypts are going Prof-of-stake instead of prof-of-work. The value of bitcoins being given by the electricity used to create them was always a meme.

This JS would have been a killer 3-4 years ago, today? And with the SEC preparing to come after so many scammers in the crypto scene? Meh.

When you have the Chaina© and the US (and even JPM) working togeth

Re: Kill javascript

[Anonymous Coward]

I second this, but instead of JS genocide, install No Coin, CPU freed up right away. Very disappointed this was causing my IDEs auto complete to be entirely unusable while watching bootleg.

Re:

[Moheeheeko]

My company actually just removed Java from every system on the network. People are wising up, albeit slowly.

Re:

[Anonymous Coward]

My company actually just removed Java from every system on the network. People are wising up, albeit slowly.

Removing Java from the system has nothing to do with disabling Javascript in the browser...

Re:

[Anonymous Coward]

Your company needs to buy a clue. Preferably from my company which sells CLUE: a PHP based JavaScript to Java translator so that your Java removal will now remove JavaScript too.

[Hey guys, don't tell him, but I'm just going to sell him NoScript]

Re:

[grumpy-cowboy]

Java != Javascript. I don't know what your company is selling, but I will not buy anything from you if your IT dept cannot make the difference between Java and Javascript.

Re:

[h33t l4x0r]

cat /etc/hosts

127.0.0.1 coin-hive.com
127.0.0.1 www.coin-hive.com

problem solved.