"But according to Troy Mursch, a security expert who spends much of his time tracking Coinhive and other instances of “cryptojacking,” killing the key doesn’t do anything to stop Coinhive’s code from continuing to mine Monero on a hacked site. Once a key is invalidated, Mursch said, Coinhive keeps 100 percent of the cryptocurrency mined by sites tied to that account from then on."
This is where I think Coinhive ethically crosses the line; perhaps legally, too. The mining scripts should stop when contacting Coinhive and determining that the specified key/ID has been disabled due to complaints or fraud.
Reached for comment about this apparent conflict of interest, Coinhive replied with a highly technical response, claiming the organization is working on a fix to correct that conflict.
“We have developed Coinhive under the assumption that site keys are immutable,” Coinhive wrote in an email to KrebsOnSecurity. “This is evident by the fact that a site key can not be deleted by a user. This assumption greatly simplified our initial development. We can cache site keys on our WebSocket servers instead of reloading them from the database for every new client. We’re working on a mechanism [to] propagate the invalidation of a key to our WebSocket servers.”
I have also tried making a coinhive clone. Sparechange. We fully investigate any complaints and ban API keys immediately after investigation. The only reason to keep mining with a known bad key is greed.
also edit - we are working on a way for site owners to validate their site via a DNS entry or something, and only allow keys to mine on validated sites. We want to make this space less scummy!
Thanks for plugging here. I researched the space for an article (featured on HN frontpage) a few months ago, but did not come across SpareChange. Back then I found coinhive to be the "only properly implemented authed" system, so I used that as an example. I'll wait how CoinHive comes out of this sh*tstorm and decide if I'll change my example to yours instead.
Also good to see there is (i) more improvement possible, (ii) ongoing investigation and (iii) competition in this space. Keep it strong, ignore the haters.
They also need to take more effective steps to allow them to claw back coins which were mined by bad actors. IIRC, they currently rake funds every few hours, allowing those bad actors to get away with most of the coins they mine before they get caught.
You could just point the miner at another pool and keep 100% of the shares. Cutting out CoinHive is trivially simple.
I really don't get the problem though. Someone's website is hacked and points to coinhive, and we want coinhive to fix it? This is why we can't have nice things.
Browser mining is basically worthless. If they're running a pool then they have to pay server usage to validate low value shares. I'm not sure CoinHive is even economically viable.
Meanwhile, Google - the multi billion dollar public company, is the one distributing this script through online ads..
Looking a the sideshot, it just appears to be an older style Ducati Monster with the trademark trellis frame replaced and a switch to a twinshock rear suspension.
Yup, we decided to start with the older Ducati Monster Gen 1 trellis frame because:
a) it's widely accessible (used on Ducati bikes made from 1993-2007). Our team is based in SF, which is a distribution point for Ducati, meaning there's a glut of old generations available to tear apart, but they're easily accessible everywhere.
b) the mounting points on the engine mean that you can swap out for multiple types of engines, depending on your preference (620, 800, and you could possibly wedge a 748 in there if you really wanted to...)
c) the frame allows easy customization of the CAD files, based on style preference - you can make it shorter for a Bobber, longer for a Cafe Racer, change the rake and trail angles, etc. to fit your needs.
One of the women on the team who inspired this project is a track racer and finds it difficult to find bikes that work for her shorter stature, so this was a great use case for the customization.
The most senior staff (C-suite) usually have compensation which is aligned with ultimate financial results of the company. I assume that there must have been mid-level WF headquarters people in their retail business who were compensated based on the number of account openings, these people would have had an incentive to cover up fraud that they suspected was going on in the branches.
Keep in mind that C-suite compensation typically is on the scale of a few years or less, not 5-10 years which is where you'd start to care about long-term ramifications of behavior such as this.
The performance of the company for those C-level executives is measured in how high the stock price is. The number of accounts and customers that a bank has influences this, especially when it is growing consistently over a long period of time. This means that the C-level executives did get a benefit when lower level people were fraudulently creating these accounts.
Yeah, but "away" and "busy" are two different statuses. "Away" seems to me to indicate "not working". "Busy" seems to indicate "working too hard to be interrupted."
