It’s Worse Than You Think: Mining Apps


I just stumbled across this one; perhaps it’s what was going on with my browser the other day. I’ve been thinking about how to enumerate all the stuff that’s going on in a system – building a “petri dish” surrounded with sniffers, then watching and memory-scraping my browser to see what it was doing. It sounds like the answer would be “too much.”

Today, a visit to the Guardian netted me a bunch of cross-site-scripting warnings all going to crwdcntrl.com – so I did a bit of checking on them. Naturally, they sell “user experience management” and “Big Data analytics” etc. More spyware for marketers. In the course of my research I was reminded of another aspect of this crap: if crwdcntrl.com is having performance problems, it slows my browsing experience down. If you are on a page where the javascript for some stupid tracking app has to complete before you get actual content, the tracking app’s performance problems look like the site’s problems. Rob Pike (of Bell Labs, now Google) used to say “distributed computing is when a computer you’ve never heard of can go down and take your system offline.” [Per Andrew Dalke @#4: that quote is from Lamport, who Pike was quoting a lot back in those days; the error in attribution is probably my memory. Pike is scrupulous about giving credit where it’s due.]

All the additional complexity brought on by all the taps and monitors and sniffers and parasites makes everything less reliable. That’s a pretty good summary of computer security, with the only addition being that you’re not dealing with semi-benign stupidity, you’re dealing with outright hostile action.

Today, Ars Technica had a piece about a new trick: someone get a chunk of code to run in your browser, hides a pop-under window behind your time-bar where you can’t see it, and uses your CPU to mine for blockchain bitcoin-like digital money (e.g.: Monero). It doesn’t require that the site you’re going to be malicious – it just has to be a site that has an ad service that serves you up the necessary code; it could even be FreeThoughtBlogs. [ars]

Over the past month or two, drive-by cryptomining has emerged as a way to generate the cryptocurrency known as Monero. Hackers harness the electricity and CPU resources of millions of unsuspecting people as they visit hacked or deceitful websites. One researcher recently documented 2,500 sites actively running cryptomining code in visitors’ browsers, a figure that, over time, could generate significant revenue. Until now, however, the covert mining has come with a major disadvantage for the attacker or website operator: the mining stops as soon as the visitor leaves the page or closes the page window.

Now, researchers from anti-malware provider Malwarebytes have identified a technique that allows the leaching to continue even after a user has closed the browser window. It works by opening a pop-under window that fits behind the Microsoft Windows taskbar and hides behind the clock. The window remains open indefinitely until a user takes special actions to close it. During that time, it continues to run code that generates Monero on behalf of the person controlling the Website.

It has been a subject of annoyance for nearly 20 years for me, the idea that hackers are cool wiz-kids who just want to explore stuff and ${stereotype}. Naturally, there are some that are. But a lot of them are making our world a worse place – this stuff isn’t cute: it’s theft. Not that my opinion matters at all, I believe that some marketing weasel running code designed to track me in my browser is stealing my resources. It’s also stealing my information, which we know is valuable because otherwise the marketing weasels wouldn’t be stealing it in order to sell it.

Welcome to computer security: the sociopath’s playground where the avant guard meet the rear guard.

------ divider ------

The article in Ars doesn’t ever mention that stealing my CPU cycles is stealing. Nerd culture is very standoffish about not being overtly disapproving when nerds are being naughty, even when it’s a crime. That’s a problem that is going to continue to bite nerd culture: look at all the hackers that are developing stuff for tracking all of our activities! They are forging their own shackles.

By the way, I took a look at what it takes to mine for Monero. The whole digital cash-mining business is pretty interesting. From a security standpoint, it’s horrifying: you download someone else’s code that is using your CPU cycles and network to collect valuable cryptographic tokens. Why should we believe that the code that’s doing the mining isn’t compromised? It seems to me that the best way to hack a digital cash system like this would be to produce a really nifty graphical interface/mining manager, and then make it default to occasionally scraping system memory and slipping out someone’s wallet key and wallet. The whole system appears to lack integrity, to me – it’s just ripe for subversion attacks. If I put my tinfoil hat on, I’d even imagine that the NSA might set up a digital cash mining scheme like Monero just to get all the suckers to waste their time using “anonymous” cash that was secretly controlled (if you think you are doing anonymous cash transactions, but I own the cash that is used in 25% of the transactions, I can build up a pretty good idea of who is doing what just by correlating transaction amounts.) More interestingly, to use the digital cash system you’re running some network service written by (who?) and audited by (who?) with reliable software delivery (how?) and it’s connecting to a server run by (who?) that can collect the IP addresses of everyone who is mining the “anonymous” cash. That sounds about as “anonymous” as wearing a ghillie suit in an empty asphalt parking lot.

“Stealth” – mjr, 2010. Model is Eric vS.

Comments

  1. John Morales says

    Every now and then, I just close my browser instance. Every now and then, I reboot*, apparently pointlessly.

    (Simple cost-benefit analysis, with what Marcus wrote in mind)

    * It helps that my current box is a hand-me-down from a gamer friend. It’s about 3 years old.

    (32 Gb fast RAM, all SSD, lotsa cores, ridiculous GPU — but obsolete for elite gaming nonetheless)

  2. John Morales says

    [… and it consumes over 1.4Kw when working hard (e.g. Skyrim).

    cf. Moore’s Law vs. Koomey’s Law]

  3. Holms says

    Off-topic complaint time!
    My computer is also a gaming machine, but is 6 years old. 8 GB DDR3 (your RAM is probably DDR4), SSD boot drive but otherwise HDDs, ‘bang for buck’ GPU. Even so, this is not ‘obsolete for gaming,’ it is merely ‘obsolete for running new releases at maximum settings.’ It takes a particular mindset to regard those two obsolescences as equivalent.

  4. John Morales says

    Don’t tell me, Holms. And my friend knows all that, he’s cluier than I am.

    (He’s a gamer, but)

  5. John Morales says

    PS just took a look (not a hardware guy) and it’s at four out of eight slots used @1866 MHz. Seems pretty good to me. Box weighs more than 28 Kg, FWTW. Lots of fans.

  6. sonofrojblake says

    Another view of mining apps:

    A site has to pay for itself somehow. I don’t want to see ads. If it’s a choice between seeing ads and having the site I’m looking at work slightly slower, the latter sounds ok. IF I’m asked which I want, and if it’s temporary – why not?

  7. felicis says

    A note on ‘cryptocurrency’ – largely ignored is the fact that any particular system only gets weaker with time. I believe Bitcoin uses SHA-256 for hashing (yes, just checked) – so as SHA-256 gets weaker, so do all of the advantages of Bitcoin – and thus each Bitcoin ends up being worth less (yes, this may be counteracted somewhat by that natural deflationary tendency of such currencies) and eventually, someone is going to be left holding a bag of bitcoins they can’t trade to anyone for any price.

    The current ‘value’ of a bitcoin is almost $11,000 – that’s insane, there is no reason for it, and I suspect that in the next few years, we are going to see some people lose big in this realm.

  8. says

    Charles Stross has a pretty fun thread over on his blog, in which he gives his take on cryptocurrencies. [charlie’s diary]. It’s got some really interesting comments, too.

    I don’t think Charlie is being particularly unfair when he says:

    What makes Bitcoin (hereafter BTC) pernicious in the first instance is the mining process, in combination with the hard upper limit on the number of BTC: it becomes increasingly computationally expensive over time. Per this article, Bitcoin mining is now consuming 30.23 TWh of electricity per year, or rather more electricity than Ireland; it’s outrageously more energy-intensive than the Visa or Mastercard networks, all in the name of delivering a decentralized currency rather than one with individual choke-points. (Here’s a semi-log plot of relative mining difficulty over time.) Credit card and banking settlement is vulnerable to government pressure, so it’s no surprise that BTC is a libertarian shibboleth. (Per a demographic survey of BTC users compiled by a UCL researcher and no longer on the web, the typical BTC user in 2013 was a 32 year old male libertarian.)

    There are other problems, as I referenced above: BTC presupposes a 21st century communications infrastructure that is free of interference from governments. And – that’s really a whopper.

    It inspired some of my non-masterpiece photoshopping:

  9. says

    Andrew Dalke@#4:
    I believe the “distributed computing is when …” quote is originally from Leslie Lamport, not Pike.

    I’ve updated my comment above. I heard Pike say it at a USENIX when I was a pup – however, please don’t think I am saying Pike didn’t attribute it (it’s more likely a case of my bad memory) Pike was quoting Lamport a fair bit back then, if I recall.

    Thanks for the correction!

  10. says

    felicis@#9:
    A note on ‘cryptocurrency’ – largely ignored is the fact that any particular system only gets weaker with time. I believe Bitcoin uses SHA-256 for hashing (yes, just checked) – so as SHA-256 gets weaker, so do all of the advantages of Bitcoin – and thus each Bitcoin ends up being worth less (yes, this may be counteracted somewhat by that natural deflationary tendency of such currencies) and eventually, someone is going to be left holding a bag of bitcoins they can’t trade to anyone for any price.

    You raise a good point: what happens to all the bitcoin when SHA-256 goes the way of the dodo bird? I remember back in the day when everyone used MD5 for everything… Oops. (It’s still OK as a general show hash function for non-cryptographic use) I don’t believe that there is any feature in bitcoin for forward-transitioning to a new algorithm.

    My assessment is similar to Charlie’s – we’re at the beginning of the end of a bubble. That’s the stage that is characterized by all the early adopters exiting with their profits, while the value of the commodity begins to spiral down and down as it gets harder to rope new speculators into what is basically a ponzi scheme.

  11. Dunc says

    I’ve always felt the Bitcoin and the like are what you find the middle of a Venn diagram involving libertarianism, crypto-nerdery, and gold-buggery… Nothing good can come of it.

    Call me old-fashioned, but I rather like my financial infrastructure to be susceptible to “government pressure” – or “regulation”, as reasonable people call it. That’s how I can be fairly certain that my money will still be there when I ask for it.

  12. says

    I read that article about bitcoins. I was aware that there are problems with them, but I had no idea that they make up to 0.12% of global energy consumption. Ouch! Now it actually seems like a good idea to ban bitcoins.

    My willingness to trust governments is limited though.

    A friend of mine has a pretty large collection of old money. It’s not like he’s actively collecting it, it’s just that his family had plenty of it and he simply decided not to throw it out. He just kept and stored all that now worthless paper he inherited from his ancestors.

    Up until 1917 people in Latvia used the imperial ruble. Then came WWI, which rendered people’s life savings worthless.
    For a short while a large variety of different currencies were in circulation.
    From 1919 to 1922 there was Latvian rublis.
    From 1922 to 1940 there was Latvian lats.
    Then came WWII. For a brief period of time Latvian territory was under German control, which meant German money.
    After the war came the soviet ruble, which was used up until 1992.
    From 1992 to 1993 there was Latvian rublis.
    And from 1993 to 2014 there was Latvian lats.

    Both world wars rendered people’s life savings worthless. So did the collapse of the Soviet Union. In 1993 Latvian politicians in charge of the monetary reform decided that two hundred rubles will be exchanged for a single lats — this literally wiped out people’s life savings.

    My friend has pretty large stacks of old and worthless paper money, all of it is from 20th century. All that paper used to be worth a fortune, these papers were people’s life savings. Examining his collection made me pretty cynical about the whole idea of retirement savings. Politicians and banks here urge people to save for their retirement. At the age of 25 I’m now supposed to put my money in a bank where it will sit for over 40 years until I retire. And I’m supposed to believe that nothing bad will happen with this money for all these years. Possible problems:
    1) wars, financial crisis etc. resulting in currency replacements, which totally wipe out people’s savings;
    2) the bank where I keep my money experiencing bankruptcy;
    3) inflation resulting in my money being worth a lot less after 40 years.

    So far I have experiences #1 only once in my lifetime (in 1993).
    I have experienced #2 many times with numerous banks going bankrupt during my lifetime, in 1995 my uncle lost a lot of money when the bank where he kept his money went bankrupt.
    #3 is happening all the time. Inflation rates tend to get pretty high every now and then.

    I sure trust people who print money /sarcasm/.

    By the way, I have no intention of making retirement savings anytime soon, and I actually think that this is a reasonable decision.

  13. says

    Dunc@#13:
    I’ve always felt the Bitcoin and the like are what you find the middle of a Venn diagram involving libertarianism, crypto-nerdery, and gold-buggery… Nothing good can come of it.

    I agree. Let me try another argument on you. It’s half-baked still…

    One of the things that scares me about bitcoin is that it’s a form of wealth that has a high cost of entry. In other words, while the “wealth is free” appears to be true, it actually comes with a pretty substantial infrastructure cost and energy cost. In other words: it’s the perfect capitalist storm: it’s money that is only available to rich people.

    A commenter over at Charlie’s also pointed out another ugly bitcoin truth that most bitcoin advocates like to dodge around: “un-controlled cash” means “untaxable cash.” Combine that with my observation above and you wind up with:
    un-controlled, untaxable cash, that’s only accessible to rich people.

    I thought about doing an entire posting around that idea, but it’s really just a sentence, isn’t it?

  14. says

    Ieva Skrebele@#14:
    I had no idea that they make up to 0.12% of global energy consumption. Ouch! Now it actually seems like a good idea to ban bitcoins.

    That was my reaction. That’s a hell of a carbon footprint! And, as felicis pointed out – it could go “poof” at any time if there’s a break in SHA256. Fortunately, cryptographic hashes never get broken. Well, OK, every single one has been broken, except SHA256. But SHA256 is good.

    He just kept and stored all that now worthless paper he inherited from his ancestors.

    There was an old woman who lived alone, in the village in France we used to visit when I was a kid. One day she died (as happens) and when they were cleaning out her stuff they discovered that her mattress was stuffed full of old French Francs from WWI. She had won a lottery and slept on a lumpy mattress for a long time. I suppose she was happy-ish the whole time, though: she felt rich even if the whole lot was useful only as toilet paper.

    By the way, I have no intention of making retirement savings anytime soon, and I actually think that this is a reasonable decision.

    I agree with that. As someone who watched the value of his retirement savings spiral down the toilet in 2008, I feel similarly. After it bounced back up (thank you, American economy!) I diversified into real estate. Of course, they can take that, too – it’s ridiculously easy: just tax you until you have to fire-sale it.

  15. says

    Oh, by the way – it turns out there are game apps in google play that will use your android phone to mine bitcoin. [ars]

    Researchers scouring the official Google Play market have unearthed more Android apps that surreptitiously abuse end-user devices to carry out the computationally intensive process of mining Bitcoins.

    Further Reading
    Apps with millions of Google Play downloads covertly mine cryptocurrency
    The malware, dubbed “BadLepricon” by its creators, was stowed away inside six five separate wallpaper apps that had from 100 to 500 downloads each, according to a blog post published Thursday by researchers from Lookout, an anti-malware provider for smartphones. Google employees promptly removed the offending apps once Lookout reported them. It’s at least the second time in a month that third-party researchers have discovered cryptocurrency-mining apps available for download on Google servers. Four weeks ago, researchers from Trend Micro reported they found two apps downloaded one million to five million times that mined the Litecoin and Dogecoin cryptocurrencies without explicitly informing end users.

    Been experiencing battery life problems?

    According to this article in PCMag [pcmag] it takes:

    The numbers say it all. Lookout’s researchers calculated that if you’re mining for 24 solid hours on a Samsung Galaxy SIII, you’d only earn .00000007 Bitcoin or $0.00004473. In order to make just one Bitcoin in a day, Lookout says you’d need 14,285,714 phones working full-tilt simultaneously.

    Bitcoins are hugely valuable (over $600USD per Bitcoin), and therefore require huge resources to mine. But even less valuable cryptocurrency, like Litecoin, are beyond the reach of mobile miners. If you took 3,752 SIII phones and let them work for 24 hours, you’d end up with a single Litecoin which is worth a paltry $8 USD.

    That bubble has sailed.

  16. Dunc says

    Ieva, @14: Well, I have pretty limited trust in government too, but its still way more trust than I have in “some guy on the internet who’s actively trying to avoid any kind of identifiably or oversight, and very probably involved in serious illegality”, which is a fairly reasonable description of the counterparties in any bitcoin transaction…

    As for investment and retirement… Sure, all investment bears risk – but avoiding investment bears risk too. I got sick of always being poor quite some number of years ago now, and given that I have acquired some modest savings, I have to do something with them. But there are no absolute guarantees…

  17. says

    #18

    Well, I have pretty limited trust in government too, but its still way more trust than I have in “some guy on the internet who’s actively trying to avoid any kind of identifiably or oversight, and very probably involved in serious illegality”, which is a fairly reasonable description of the counterparties in any bitcoin transaction…

    I agree. I never said that I have any trust in bitcoins.
    A quick glance at the bitcoin value over time graph should reveal that their value is jumping all over the place. This is not a good thing for a currency to do.

    As for investment and retirement… Sure, all investment bears risk – but avoiding investment bears risk too. I got sick of always being poor quite some number of years ago now, and given that I have acquired some modest savings, I have to do something with them.

    I have quite lots of trust in our currencies when it comes to short term. I can be pretty sure that my €1000 that I have in cash at home will be worth about the same two years from now. However I have no intentions to trust that they will be worth anything 50 years from now. I think that for people who are in their fifties it is reasonable to make retirement savings. Since I’m 25, it’s a whole different situation for me. Overall I think that it’s not worth working hard in order to earn much more money than I spend on a daily basis. Currently my workweek is less than 20 hours. I prefer to enjoy my life now instead of planning to enjoy it someday in the future when I’m over 60.

    Part of the problem is that in the future we will have to deal with climate change and natural resource depletion. I suspect that bad things will happen once climate worsens. And the 2008 economic crisis wasn’t really solved, it was only postponed. Therefore I’m pretty pessimistic about the future.

  18. Dunc says

    I certainly don’t think there’s any point in putting your life on hold to save for the future, right enough… Heck, I’m in my mid forties and only working 30 hours a week for that very reason. It’s all about striking a balance… Having said that, having been around for long enough now to start seeing the effects of compound interest, I do wish I’d started saving a little bit, a bit earlier.

  19. John Morales says

    Talk about topic drift…

    End of the day, there’s an extant system.

    It’s very much like a game — nobody is forcing you to play it as the developers (nonexistent here) intended, but some play-styles are better than others — but one has to play it on its merits, and some play modes are more efficacious than others.

    (And yes, there is no long-term security — but to infer from that that long-term strategies are not worth pursuing is flawed. Case in point, an AUD8,000 stock bundle investment I made in the early 90’s is now worth a little over AUD150,000, though of course subject to capital gains tax if I cash it in)

  20. Andrew Dalke says

    Marcus@#15: regarding “un-controlled cash” means “untaxable cash.” One of the techniques to limit under-the-counter business transactions now is with a receipt lottery. What if, when you pay by Bitcoin, you could also send your transaction details to the lottery office, and have a chance at winning $1 million in the next day’s lottery?

  21. Andrew Dalke says

    I didn’t understand #23. Do receipts lotteries help the rich get richer? I thought they provided more control, even for otherwise untraceable cash transactions.

    My question is if that could be applied to Bitcoin. Plus, if enough people participate, then that knowledge combined with the public transaction log, would make it easier to apply network analysis. While this could certainly be used to help the rich get richer, couldn’t it also be used identify those not paying their Bitcoin taxes?

  22. says

    Andrew Dalke@#24:
    Do receipts lotteries help the rich get richer? I thought they provided more control, even for otherwise untraceable cash transactions.

    Only people with money can play in them, and the more they move their money around, the greater the chance they’ll win more money. I understand the principle but I think the feedback loop may be working the wrong way.

    I do agree that it might be useful for encouraging people to pay their taxes. I suspect nothing will happen, because the dollar amounts are below the level where the oligarchy will care and it won’t interfere with the existing structure of tax havens that are in place.

Leave a Reply