From this week, visitors to the Salon news site who are running an adblocker have been confronted with a blunt choice: turn off your adblocker or let the site use your browser to mine cryptocurrency instead.
You’re on the horns of a dilemma: turn on ads and be annoyed by in-your-face content you’re tired of (and goodness knows what else besides), or turn on cryptomining and be annoyed by hidden content that sends your CPU into thermal overload (and goodness knows what else besides).
Interestingly, many security products – including Sophos – treat coin mining sites as so unloved and unlovable that they’re blocked by default, so Salon looks set to send you head-to-head with your own organisation’s sysadmins by forcing you to pick between the security devil of getting tracked by ads and the deep blue sea of letting cryptomining JavaScript have its way inside your network.
As Salon explains:
Your unused processing power are the resources you already have but are not actively using to it’s [sic] full potential at the time of browsing salon.com. Mining uses more of your resources which means your computer works a bit harder and uses more electricity than if you were just passively browsing the site with ads.
How does this business model work for Salon?
According to a pop-up on the website, Salon uses Coinhive. It’s the same browser-based coinmining service used in last weekend’s indirect compromise that turned thousands of websites – including numerous government pages in the US, the UK and Australia – into cryptomining zombies.
According to Coinhive’s own website, even if you have a high-traffic website with 1,000,000 page visits a month, each of which lasts a full five minutes, mining all the time, all you can expect is about 0.27 Monero a month- currently about $100.
Some reaction to Salon’s move has been way less than positive.
Researcher Kenneth White tweeted:
https://twitter.com/kennwhite/status/963425743542870016
But how can websites earn enough of a living to keep themselves afloat, especially with the rise of adblockers? In a world where readers seem disinclined to pay for content, and don’t want to allow advertising, cryptocurrency mining might look like the only viable option.
A fundamental problem is that Salon’s CPU-hogging implementation is unlikely to be sustainable. It isn’t at all clear that cryptomining is actually a viable way to make money for the sites that use it, and it probably doesn’t scale well either – if too many sites adopt it then web browsing would quickly become a chore.
If CPU utilisation were dialled back to lower levels, and user numbers grew, the idea might have legs.
As it stands, cryptomining has a lot of image-building to do (remember Pirate Bay?) and much to prove.
LEARN MORE ABOUT CRYPTOMINING AND CRYPTOJACKING
(Audio player above not working? Download MP3, listen on Soundcloud or access via iTunes.)
John Jieri
Dear Salon. Never in a million years. Goodbye.
thedrogsofwar
Since this just popped up out of nowhere, I wonder if this is in response to Google enabling their in-browser adblocker soon?
FreedomISaMYTH
NoScript…..
Laurence Marks
uBlock Origin
Tracy
Lets see, Allow ads which hogs bandwidth or let them use your CPU or GPU for cryptomining. Guess which I will choose. Yes, Neither. I don’t mind ads but when the claimed content is covered up with ads then your content is not worth the asking price. I have advice for people who offer content paid for by ads. Most of that content is NOT original to the Web. There are others out there hawking the same content. You will not make money with ad revenue because you are not going to get paid enough so you have to host more ads and still more. Do you see a pattern here? The only person making any money is the person who created the ad. Hosting click ads is a lousy business model.
David Kemp
Any site that tells me I cannot read without turning off my adblocker I just say goodbye to.
anon
This will not last long, as people flea the site in droves. And if a site is that hard up, then perhaps their numbers are already diminished and this is a last ditch effort? Crummy content will not get support, one clay or the other, especially when there are so many choices out there.
Anonymous
uBlock Origin blocked cryptomining and the message…….
roleary
Is there a way of restricting how much CPU time a browser is allowed to use?
It’s not like this is the first outrageously hungry website I’ve visited, this is just the one that did it deliberately.
Paul Ducklin
The site itself can throttle things back – we recently saw a cryptojcking attack (cryptomining where the original website owner didn’t intend it, but got hacked) that hit loads of Anglophone government sites that deliberately tried to dial itself back a little:
https://nakedsecurity.sophos.com/2018/02/12/cryptomining-script-poisons-government-websites-what-to-do/
The problem for sites like salon DOT com is that you have to hammer your readers’ CPUs pretty hard to make any money at all (and the earning rate has fallen off lately, as CoinHive itself admits, due to plummeting cryptocoin prices and increased competition in the mining world), so it’s an open question whether cryptomining of this sort will ever get anywhere near the sort of revenue you’d get from ads.
Feels to me as though to make any useful amount of revenue this way, Salon will need to force all its readers to use latops (mobile phones are no good), stay on the site for hours, eat through their batteries much faster than they’d like (so they need replacing sooner), set their laps on fire, have their other programs running like treacle, and listen to their fans blowing dixie double-four time.
With my personal hat on, not my Naked Security one…thanks, but no thanks! At low CPU rates, Salon is wasting its time; at high CPU rates, it’s wasting mine.
Bryan
Plus one
your usual useful info, punctuated by a sweet Dire Straits reference.
Jason Jappy
just take salon’s head line and search for it using google and find same news from a different provider
Jason Jappy
another thing to do would be start surfing the web on like a rasbery pi so that the cpu usage is next to of nill value.
Paul Ducklin
Or your mobile phone. CoinHive itself advises its “customers” not to bother with those…
j karna
You can always find fake news elsewhere. I use No coin and uBlock, end of problem.
geofday
Just happened to leave Salon open in a browser window and what happened? I got a popunder in the next tab informing me that my Adobe Flash was “out of date” and that I needed to download their handy malware infected payload. This is unacceptable. Good thing I know what malware looks like and stopped it before it got installed. I also know most people don’t and too many fall for this kind of drive by download nonsense. This is criminal. Sophos – please – how does one report this kind of active malware propagation scheme?
Paul Ducklin
Depends. If you’re in the US, the place to start is IC3 dot GOV (The FBI’s Internet Crime Complaint Center). As to whether there really is any “crime” here – well, the IC3 site tells you what you can and can’t report.
McLovin
“In a world where readers seem disinclined to pay for content, …”
The world may very well be wiling to pay for content, according to some trends recently reported by NY Times.
I, for one, would rather pay a fair amount for content than seeing ads or running rogue software.
MikeP
Surely this is illegal? If not, it should be. They don’t own the hardware so they have no legitimate right to even access it, let alone use it for any purpose. Further, they are using threatening language – which is illegal. So what are the authorities doing to stop them and take them to court?
mike@gmail.com
I have no idea why you think this would be illegal.
Paul Ducklin
There is another issue here – Salon is essentially paying unknown people for a cloud service that is being bankrolled by its web visitors. Aren’t you supposed to “know your customer/know your supplier” in the US? Who’s doing the accounting? What taxes are being paid? Where is the money going? What activities is Salon helping to fund?
mike@gmail.com
Running and producing a media site is not free, we shouldn’t expect it’s content to be free either. The internet made a bad choice in the beginning, and now it’s having consequences. Either get behind a paywall, allow sites to run their ads, or allow them to do some background-mining. What other options are there?
Mark Stockley
Merchandise!
Wilbur
Sites could generate revenue by providing content worth paying for, and one article per month isn’t enough. I don’t block ads, I block scripts, so sites could stop being lazy and start being creative with ads that don’t jeopardize my security with script-driven malware.. Sites could stop incessant privacy violations and treat their users with a little respect, that might generate some subscription revenue. A couple of years ago I was in the process of filling out a subscription form for a premium weather service web site – to the tune of about $80 USD per year – when I read their privacy policy. Paraphrasing here – it essentially said I agreed to allow them to track me across the entire web, including sites not affiliated with them. I cancelled the form and they lost $80 per year. As another reader implied, sites could stop pretending that regurgitating wire service news feeds is “creating content”. The problem isn’t the consumer, the problem is greed on the part of the industry. Companies look at the gigaBucks Google and Facebook haul in and want a piece of the pie without providing unique services in return. For years we paid for print magazine and newspaper subscriptions (and still do) but the newspaper is giving us less and less in return. Poorly written puff pieces complete with misspellings and malapropisms do not make a subscriber feel all warm and fuzzy when looking at the subscription bill.
mike@gmail.com
I don’t know if anyone noticed, but there is a prompt at the bottom of nakedsecurity about use and consent. Wonder how many people would care about background crypto-mining if they saw a similar disclaimer.
Mark Stockley
It’s about reasonable expectations though, isn’t it? The ICO in the UK decided that the most sensible way to implement the EU’s cookie law was to offer sites the chance to use “implied consent” – an announcement rather than a positive user “click” – for the kind of typical cookie uses users had come to accept and expect.
Cryptomining isn’t well known enough for implied consent to work, I think.
It seems to me that the challenges for cryptomining are: it’s something complex that users don’t yet understand and therefore need to be explained to them for them to feel they’re getting a fair deal; if it is explained to them they’ll still disable it for the same reasons they disable ads; it’s become popular with criminal hackers FAST and has therefore already acquired something of a bad reputation; it probably won’t make site owners enough money (and could easily make even less money as it becomes popular because, as I understand it, there is a cap on the rate at which Monero can be produced) so it will probably always have to be dialled up to 11.
SumGuy
Any way to know if a site is doing this already? Some advice on how to block this abuse would be a great subject for your next article.
It seems many pages now take 100% power to load. The page load speed of all sites for me are slower now than ever. I have sophos security, but I am questioning as to whether its detecting this activity or not. I have a monster computer so it makes no sense why this is so. Games and such still run instantly.
Paul Ducklin
Sophos Home will block known cryptomining sites – the content is typically sourced into some other page, so the original page still loads, just the mining script is blocked.
And in cryptomining-laden sites we’ve tried, the side-effects were quickly obvious: computer runs like treacle. (I have a fanless laptop these days but if you have fans, they may well give it away by roaring.) Fan noise and sludgy running are not reliable indicators but if you experience them…check the system monitor and check the CPU usage of your browser.
Bobber
I went to the salon . com site, told it to run the cryptominer, and although the page then loaded, it was quickly grayed out and I couldn’t click on anything. But it does appear that Sophos Home did block the miner from running.
Anon
They really should just start mining cryptocurrencies that have use proof of state not proof of work. A single raspberry pi would be plenty powerful enough.
absurdist123
List it as a malware site. Its the only proper response.
Scott Johnson
Never was a fan of Salon articles so I really don’t care. Same with Forbes – they block content if my browser blocks their ads. Information is everywhere and a few sites blocking content isn’t going to be an issue for anyone. Google is starting to block intrusive ads so Salon is going to have their ads blocked anyway.