Now Even YouTube Serves Ads With CPU-draining Cryptocurrency Miners (arstechnica.com) 187
YouTube was recently caught displaying ads that covertly leach off visitors' CPUs and electricity to generate digital currency on behalf of anonymous attackers, it was widely reported. From a report: Word of the abusive ads started no later than Tuesday, as people took to social media sites to complain their antivirus programs were detecting cryptocurrency mining code when they visited YouTube. The warnings came even when people changed the browser they were using, and the warnings seemed to be limited to times when users were on YouTube. On Friday, researchers with antivirus provider Trend Micro said the ads helped drive a more than three-fold spike in Web miner detections. They said the attackers behind the ads were abusing Google's DoubleClick ad platform to display them to YouTube visitors in select countries, including Japan, France, Taiwan, Italy, and Spain. The ads contain JavaScript that mines the digital coin known as Monero.
This crap needs to be regulated by the government (Score:2, Funny)
Because itâ(TM)s getting out of hand and they will fix everything.
Comment removed (Score:5, Insightful)
Re: (Score:2)
Ad Blockers (Score:5, Insightful)
This is why I run an adblocker and a script blocker.
And why I refuse to visit sites that insist I turn it off.
Speaking of which, anyone know any WebExtensions that do anti-anti-adblock? The old one was XUL.
Re: (Score:1)
I just watch YT via youtube-dl or directly via mpv (which uses youtube-dl hook). Their new UI is too retardedly slow to even look at it.
Re: (Score:2)
Re: (Score:1)
mpv is just a player; if you really want to use youtube from a terminal install something called "mps-youtube" ("pip3 install --user mps-youtube" should do it).
This is much more of a youtube interface. It in turn can use vlc (what I use) or, I seem to recall, mpv, as the actual player.
You can search for videos, sort them by various criteria, download them via its builtin downloader or anything else you have... it's a very nice tool!
Re: (Score:2)
Re: (Score:2)
Like DemoLiter3, I just watch YouTube through youtube-dl or mpv with youtube-dl hook.
oh good. There are a few channels I need to watch videos from time to time but don't want to give revenue to like when I'm trying to show someone the moron who went to Japan. I've been downloading the videos and watching 'em that way. I still feel gross but I don't have to worry about having contributed to the problem.
Re: (Score:2)
Can you explain how? I'm familiar with youtube-dl, but not mpv.
Do you really see a youtube link, then slap it into youtube-dl, wait for the download, then watch the video?
Do you browse/search youtube at all? I find that finding shit is worse than the page with the video on it, so I can't imagine how your method makes things better. Once you've got the link to the video you want to watch you're past most of the bullshit.
Re: (Score:3, Interesting)
Re: (Score:1)
I sure as hell can.
Usually through a liberal application of NoScript, RequestPolicy, and, if absolutely necessary, raw HTTP requests to their API layer (because fuck you AND the horse you rode in on, you dumbshit "UX" assholes).
Re: Fuck You (Score:1)
Fair use for personal reasons says go fuck yourself.
Re: Fuck You (Score:1)
You should share what the name and address of your site are. Plenty of people here wouldnâ(TM)t mind boycotting a site whose operator thinks their copyright overrides the fact that ad networks and the websites who employ them are shitty and should be avoided.
Re: (Score:1)
If you're not willing to support my site, feel free to boycott it. However, stop stealing from me. You're not required to go to my site, but you're not welcome to violate my copyright with a derivative work in order to steal revenue from me.
Could you clarify exactly how I'm violating your copyright by blocking intrusive, annoying, and sometimes malicious ads?
Re: (Score:1)
I'll be more than happy to boycott your site. Malvertising is the #2 cause of malware spreading, next to Trojans, and with the absolute disinterest ad companies have in policing themselves, their stuff is hostile. I'll keep my security, and your site will remain free of traffic. Sound fair?
Note: Even Forbes has caved on on the mass adblock-blocks. Adblocking is as part of computing as firewalls and AV software these days.
Re: (Score:1)
Re:Fuck You (Score:5, Insightful)
If you're not willing to support my site, feel free to boycott it. However, stop stealing from me. You're not required to go to my site, but you're not welcome to violate my copyright with a derivative work in order to steal revenue from me.
First of all, they're not violating copyright by simply downloading content.
Secondly, if you're using one of these scammy ad networks (and, to my knowledge, there isn't a single one that *isn't* scammy), then you're just going to have to accept that fact that one one gives a shit about what you want.
Third party javascript nonsense had gotten so far beyond the pale, that it behooves everyone with a computer to enable ad blocking technology, for their own personal safety. This youtube crypto thing is just one of countless examples of malicious code forced upon people. If you derive income from this bullshit, then you're complicit in this and deserve every bit of scorn anyone heaps on you.
If you don't like it, then set up a patreon account so people can be assured that you're getting paid directly without they themselves getting screwed in the process with malware.
Re: (Score:2)
However, stop stealing from me.
So you give someone something openly, and then because they refuse to let you kick them in the nads you're claiming you're being stolen from? You're delusional.
You want to protect your content put it behind a paywall, until then we're not stealing shit, not even in the RIAA piracy is stealing way.
Re: Where do you people go, anyway? (Score:2, Informative)
Forbes
Re: (Score:1)
Weird... Forbes comes through loud and clear with uBlock Origin + NanoDefender.
Re: (Score:2)
Re: (Score:2)
You have to enable AdBlock first, OK?
Re: (Score:2)
Re: (Score:2)
I have NEVER encountered a site that requires you disable adblock. I have been to maybe two sites that asked politely to turn it off, and did nothing to keep you out if you didn't.
There are news sites that shade articles until you white list. Just a giant unremovable popup. Some I can remove by inspecting and removing the offending div layer but some change the site itself so it's not hidden beneath an immovable layer.. it IS the immovable layer. I don't encounter those sites often to be fair.
Re: (Score:3)
And doesn't accomplish anything against a crypto currency miner.
Re: Ad Blockers (Score:1)
Or tracking.
Re:Ad Blockers (Score:4, Informative)
An arstechnica commenter mentioned NoCoin which is a standalone extension.
https://arstechnica.com/inform... [arstechnica.com]
https://github.com/keraf/NoCoi... [github.com]
You can also take the URL they curate and then import it into your adblocker of choice.
https://raw.githubusercontent.... [githubusercontent.com]
Re: (Score:2)
Re: (Score:2)
Thanks! You are correct. My mistake for mixing up the origin of the 3rd link more.
Re: (Score:2)
A fair bit of my YouTube watching is through Kodi's YouTube plugin. It doesn't bother to show ads. I tried switching one of my TVs from a Raspberry Pi with LibreELEC (a Kodi distribution) to a Roku stick, but no matter what kind of adblocking I tried implementing on my network, the Roku would still run ads. The Roku is pretty much just for Amazon Prime Video now
On the desktop, I had run across HookTube [hooktube.com] a while back. I already have uBlock installed, but with a URL-rewriting plugin (just ran across Reques [google.com]
Re: Ad Blockers (Score:1)
Suck it up crybaby. Adblockers == freedom from bullshit
Re: (Score:2)
Too many websites seem to expect us to pay them for content they stole themselves.
Distributing such small chunks can't be worth it.. (Score:2)
Can the workloads really be broken down into such small chunks that running during a 15-30 second ad gets any useful work done? It seems coordinating breaking up and putting back together such small work parts would be more computational power than its worth.
Re: (Score:1)
Re: (Score:1)
It's the age of browser tabs. People open a tab with youtube and it stays open, often for hours.
Re:Distributing such small chunks can't be worth i (Score:5, Interesting)
At least Chrome limits background tabs to 1% of CPU [slashdot.org] and will, in future, pause javascript entirely in those pages.
Re: (Score:1)
Does it really matter? They're still collecting:
1 - A theoretical dollar for the video view
2 - The ad revenue, and they get to top it off with 3:
3 - Tiny fractions of a monero-cent
Adding #3 is free for them. Why not include it?
Re:Distributing such small chunks can't be worth i (Score:5, Informative)
Consider an algorithm such as Yescrypt (http://password-hashing.net/wiki/doku.php/yescrypt) which is a valid CPU cryptomining algorithm. My CPU (Broadwell i7 6800K) finds a share every 5 seconds with 11 threads running. I extrapolate a quad core CPU would find a share every 15-20 seconds. Those shares add up if the receiving wallet and mining pool are the same. This means wallet "iourthoesruithjvansoivrzupaweo" could have a swarm 10K workers mining for 30 seconds each on the same pool, and find 10K shares every 30 seconds.
Let's see what this adds up to in terms of cash.
My CPU (taken as reference) makes about 1.5 dollars a day. A Quad-core CPU (average desktop PC CPU) would make about 0.5 dollars a day through cryptomining. Multiply that by 10K miners (dynamic swarm), it adds up to 5K dollars a day. It's a hefty sum, assuming the website really has 10K active visitors at all times.
1K active sessions would yield 500 bucks a day, 100 active sessions would net 50 bucks a day. Even 10 active sessions would be 5 dollars a day, every day. Not bad, I'd say.
Re: (Score:2)
you can definitely break the workload into small chunks that only take a few seconds.
multiply all those small hashrates by tens of thousands of pageviews, and you start pulling in quite a respectable ROI. The hard part is finding a Monero pool that doesn't ban you for making tens of thousands of tiny connections.
Re: (Score:2)
Now's our chance! (Score:2)
Re: (Score:1)
you tube isn't very popular
O_o
Re: (Score:2)
your comment [pinimg.com]
Chrome has Extensions for that (Score:2, Informative)
One that comes to the top of my mind is Mineblock.
It specifically blocks cryptominers of all kinds, even ones that the usual script blockers and other antimalware stuff miss.
It's not the only one, and I'm sure that eventually the others will catch up to these types of extensions, but it's still relatively early days for this kind of infestation.
Keep up to date on whatever you use, and those leeches won't find you an easy meal.
Re: (Score:2)
Re:Chrome has Extensions for that (Score:4, Insightful)
I allowed ads for a long time for that reason, but now most of them are blocked because I got sick of the bouncing crap, auto-playing videos and ads with mouse-over actions. As far as I'm concerned, advertisers crapped the bed they sleep in.
Re: (Score:1)
That's perfectly retarded. Ads are malware vectors. Anyone mining coin on your rig without your explicit permission is a potential thief already, but you think their other ads are all going to be above-board? Retarded.
Behavior blocker allows plausible deniability (Score:4, Insightful)
Anti-adblock detects failure to load ads and removes the article's text from the DOM until the user disables protection. Running a blocker for a specific behavior gives you a bit of plausible deniability and room to complain to the site's support department about misdetecting an ad blocker.
Ad Blockers motherfucker! DO YOU GROK IT? (Score:2)
This is why I absolutely refuse to to surf without adblockers in place.
The whole online ads thing has been a shit-show since the word "go".
And they piss and moan about it, while taking ever greater liberties with computing resources THEY DO NOT OWN.
You can't even trust GOOGLE for chrissakes! And they're a browser vendor? How VERY convenient!
You wanna block me from viewing your content because I don't let you infect, destabilize, and take over my system?
Fine, I don't need to see your shit content that bad.
Re: (Score:2)
... browser vendor ...
Google doesn't sell a browser.
Re: (Score:2)
Stick with it, OK?
You'll get it after you've been on the Internet a while.
Re: (Score:2)
But you paid for Chrome, right?
There are ads on YoutTube? (Score:2)
I repeatedly surprised (and appalled) when I visit a favorite site on a machine other than my own (the horror!!)
What proportion of crypto-miners are bots or ads? (Score:2)
I know dedicated mining operations are way more efficient, but botnets can get pretty large.
Are there any estimates on just what proportion of crypto-currencies are mined through illegitimate means?
Real question (Score:2)
Why are ads even allowed to run javascript? It's one thing for double-click itself to be implemented in javascript, but why on earth do doubleclick/youtube allow the ads to include javascript? Shouldn't they just be an image or gif or video?
Re: (Score:1)
Seriously, if someone knows why ads can have javascript in them, I am legitimately curious what the reason is, not just a rhetorical question.
Re: Real question (Score:1)
Me too. How can these ads have access to JavaScript?
And yet webmasters still don't get it. (Score:2, Interesting)
I put up with adverts in newspapers and magazines because I understand they subsidise their production costs, but they don't track me and do shit behind my back.
Same for TV
Same for radio
Yet more and more websites display 'please disable your adblocker'.
NO. It's precisely because of shit like this that I run one and I have no intention of disabling it.
You want to display adverts on your site to bring in revenue, fine I get that. But do it the old way, with simple graphics that don't run unvetted shit on you
Time to ban JavaScript in Ads? (Score:3)
Putting JavaScript in ads causes too many problems, from drive-by malware to this (and many other things too). And it leads to annoying ads, like those pop-ups that never leave your field of view.
Yes, yes, I know it's because advertisers want to draw attention to their product. However, I suspect that many people would object less to ads if they weren't so annoying: compare to advertisements in (print) newspapers, who seem to have got along just fine without ads in -- what? -- several centuries so far?
If we banned JavaScript in ads, malware authors would have a lot more difficult task pushing their crap.
(Have to admit: only half-serious here, but still ...)
Re: (Score:3)
Pi-hole® (Score:2)
Third party content is a nightmare for users (Score:3)
https is such a falsehood. Sure the connection between you and one site may be secure, and you may actually trust it. But what about all those third party trackers and ad servers that load into the same page? Yes I am oversimplifying and https is about the connection and not the server's security - but as soon as a third party content is loaded shouldn't the underlying https connection become tainted in a way that it has something like one of those big red Xs on it for https+non-https mixed content? Maybe a middle finger emoji to the end user.
I wish for a day whereby disabling loading of third party content is enabled by default - and websites still work.
If you don't use an ad blocker by now, or even better something like umatrix extension - please add one to your favorite browser. (umatrix is from same guy as ublock origin, and sure it has a learning curve but we are supposed to be nerds reading this, and be amazed at all the third party junk on your favorite websites).
Re: (Score:1)
Why do ads include java scripts? (Score:5, Insightful)
I understand why an ad network like Yahoo or Doubleclick might use javascripts. But why would the individual advertiser need a custom javascript? Just provide a PNG or JPG or MP4 and be done with it. The idea that the ad networks permit arbitrary code in the ad is utterly ridiculous.
Re: (Score:2, Insightful)
(Posting as AC for reasons...)
The short answer is analytics. We need the JS in order to keep track of things such as how long you looked at the ad, whether you moused over it (or even moused close to it), etc. Measuring user interaction with an ad is critical to determining if an ad is effect. Or for that matter determining if a site is scamming us.
We also use JS to do deeper browser fingerprinting, to try to better identify a viewer for demographics purposes (did this go to a 28yo black female, a 50yo whit
Re: (Score:2)
That was informative but didn't really answer the crux of my question, and perhaps it is my way of asking it that is the problem. If I elaborate can you answer in more depth? Something is fundamentally wrong here:
Who in the chain is writing and delivering the JavaScript? Suppose I go to goodsite.com, and I see an ad delivered by Google's ad delivery division, for Joe's Lemonade? If goodsite.com wrote the script, that seems okay. If Google wrote the Javascript, that's fine too because I assume goodsite.
Re: (Score:2)
Thanks for the following-up!
we need html6 without crossdomain content (Score:2, Interesting)
1 why should there be content from domains not in the adress bar? (you dont expect there to be pepsi inside a can of coca cola!)
2 site designers need to keep content on their own site! (if you dont own the content, link to it, dont steal it)
3 100+ connections to load a single site is unacceptable! (and not cool to other users on public wifi)
4 ssl/tls is worthless with crossdomain content! (and please support ipsec/dane certificates to stop the certificate marfia)
5 all audio/videos should be click to play! (
Re:Good idea, actually (Score:5, Insightful)
"Unoccupied CPUs" were a waste back when a CPU used the same amount of power idling as working.
Today, giving my "unoccupied CPU" a task for your benefit is theft of my battery life (time until I need to recharge), battery lifetime (total number of cycles), electricity (both direct device usage and indirect cooling needs), and device lifetime (hotter devices fail sooner).
Now, if you'd like to offer me payment for these things you wish to consume, we can talk.
Re: (Score:1)
Then don't visit those sites. Parent was suggesting this would be a method of transferring value in exchange for your consumption of their service.
Re: Good idea, actually (Score:3, Insightful)
Right now we don't have that option. Because everyone who does this, does it without telling the user. Until it becomes a CHOICE, they can fuck off.
Re: (Score:2)
you list about four costs that probably add up to a penny or two per hour, particularly if the mining javascript has its intensity set below 40%, which was the default last time i checked.
you aren't being paid because the idea is YOU are paying a tiny microfee (in the form of an advertisement, or in this case a minor uptick in your cpu usage) for access to the content you are viewing.
i implemented a Monero JavaScript on a website i run, but it was an option that was DISABLED by default, and my users could v
Re: (Score:2)
How do you figure the cost of losing half your battery time? From what I've directly observed, having a few badly-behaved Web pages open can take me from six hours of battery life to two or three.
I've been known to pay for ad-free access to content, and I've been willing to accept ads as a way to compensate content providers. Ads are simply getting too expensive to accept now -- the electricity cost is small, but the costs in battery life, stability, and safety are just too high.
(And that's omitting the att
Re: (Score:3)
Now, if you'd like to offer me payment for these things you wish to consume, we can talk.
Were you able to see their content? You got paid. You're not going to get reimbursed for the power consumed by your TV or DVR while you're fast-forwarding through commercials either.
I don't like the miners either, but I understand that ads are the price of content. The alternative is paid content, which you're free to switch to.
Re: (Score:2)
If we really want to use this role-reversed metaphor, they're paying me (with their content) for my attention (to their ads). Ideally, my favorable and engaged attention, not my swearing-at-the-site-as-I-try-to-close-my-hung-browser attention.
In point of fact, I've decided that many sites offer inadequate "pay" for the resource hit they impose, whether from ads or just bad coding. Sometimes I switch to viewing them in a different browser that mitigates these resource attacks. Most often, I just stop visitin
Re: (Score:2)
Google even ran it ad free for years after they bought it.
If any company offers you anything for free, it's limited while they get you hooked or they're getting something from you that you haven't noticed.
You can't tell me a multi billion dollar company can't afford something.
Being able to afford something has nothing to do with it. TANSTAAFL. Everyone's in the game to make a profit and there's never enough.
Re: (Score:2)
Re: (Score:2)
What if they install something that keeps mining after you leave the page?
What if they install something that keeps mining as a system service that starts up automatically whenever you boot your machine, and maybe sets up a proxy for them to communicate with other systems inside your LAN?
After all, if you've viewed their content, they're entitled to compensation, right?
I think we fundamentally agree that informed consent is the important thing, but I'm not willing to venture very far down the slippery slope
Re: (Score:3)
There are lots of them that just keep running and eating up your resources even when you want to use them.
That's the problem with people secretly sticking their hands in your pocket, you have no idea how much they're going to take or how long they'll be doing it.
The very fact that they hid this from you is ALWAYS a bad sign.
Re: (Score:2)
It really depends.
Visiting from a desktop PC with adequate cooling? OK, I guess.
Using a laptop, tablet or mobile device? Bad, really bad.
Then it's a matter of how much mining is being performed and where. I assume most people leave a few tabs open, for example one with e-mail, one with news aggregator, a few community websites, maybe a couple social media tabs. If all of them cryptomine, you're in deep shit. Also if they mine while the tab is in the background, you're also in deep shit.
Re:Good idea, actually (Score:5, Insightful)
I don't know why this is the first time I'm realizing this, but "ads" that cryptomine seem like a great idea. Given the amount of web browsing that is just that, with an otherwise unoccupied CPU, I'd much rather the sites I visit be earning some money directly from my use than displaying crappy ads all over and splitting that income with the middlemen.
I would be fine with this in place of ads if a) it's fully disclosed b) it's opt-in, and c) it's set to consume no more than say 25% of my CPU.
Re: (Score:1)
It's probably less than 25% in that a single page's javascript operates on a single logical core and a dual-core processor w/hyperthreading has four logical cores.
Re: (Score:2)
It's probably less than 25% in that a single page's javascript operates on a single logical core and a dual-core processor w/hyperthreading has four logical cores.
JavaScript has been able to work with multiple threads on modern browsers for quite a while now. Just google "web workers".
Re: (Score:1)
The problem is that if given the choice between extremely intrusive ads, or ads that cryptomine, most advertisers will happily take both, and you will still get the "free iPhone" popover ads, that burn your CPU as long as they can, running up your energy bills.
There is no real negotiation. The ad guys want to trespass and seize as much of your devices and your attention as possible. The only thing stopping them is the fact that OS vendors and browser vendors have to do something or else people will change
Re: (Score:2)
Re: (Score:1)
Yea electricity isn't free and very few places have 100% green energy. Unauthorized crypto mining is a borderline malicious waste of all of our resources and my money.
Re: (Score:1)