Prime example of failed business models and their desperate attempts to survive.
I'm really disappointed about how online publishers handle the decline of ad revenue. Of course my ad-blocker will also block your miner script, what do you think how this works? And better yet, integrating external third-party JavaScript into your website screams for abuse by attackers. Someone could just change the wallet address the scripts mine for and suddenly all your visitors not only do not mine for Salon, but mine for someone else entirely.
But yeah, ask me about "well how do we make money?" and I don't really have an answer myself. IMO sources like Patreon are the most appealing for me, though it might hurt websites I have not yet in my list and would not be able to access if I'm not a subscriber.
> sources like Patreon are the most appealing for me, though it might hurt websites I have not yet in my list and would not be able to access if I'm not a subscriber.
There's also the crowdfunding model. Backers can pay in advance to cover your production costs, and post-funding sales can earn you a profit. I've seen cases where the product became freely available once sales brought in a pre-determined profit.
Of course, this works best for individual productions with rather small budgets, such as documentaries or music albums. Not so much for big productions (think Hollywood movies) and not so much for periodic publications like magazines or blogs.
Imagine you have a little widget in your browser that displays something like '50%' which means you constantly use 50% of one core to mine a cryptocurrency for the page you are currently looking at.
And in return you get an ad free web. I think that would be way better then the web as we know it.
It's a perfectly reasonable solution for those who are okay with it. You need to pay with something - either with your privacy, your attention, your money, or your electricity/idle CPU cycles.
Ad blockers eliminate paying with attention, and put a big squeeze on paying with privacy. Which makes the leftover choices of money or power quite reasonable.
What site uses the money or power for is nobody's business. Would you not pay journalists if you found out they like losing money on pyramid schemes?
It's not though because the effects on the rest of the web are negative.
Cryptojacking will become more common the more legit websites use it as a source of revenue. And this specific company / team of developers have been doing very little to stop the malicious use of their javascript. Why support them?
EDIT: By "why support them" I obviously mean, why should a publisher support a team with such wanton disregard for security of the net that they depend on to publish their stuff. I won't read the articles. But their decision to use such a thing isn't a good one and I can criticize it.
Because adblockers can (and do) block all scripts and sites that mine without consent. Specific legal and consent-only domains will need to be whitelisted, which is what CoinHive is trying to with authedmine.com
So people who don't run adblockers should just suck it up and get gut-punched because CoinHive doesn't want to lose money? CoinHive has the ability to just not pay out any versions of the software which aren't authmine. Again, what a bad look to partner with such a crap team of people. There are surely other providers of the exact same service.
I beg to differ. I've tried Coinhive's miner, it used all of processor's threads and making my browser unresponsive, couldn't even move mouse pointer or close the browser. Mining coins on a browser is bad for everybody involved, especially for the users.
>A coin being mined is controlled, handled entirely by first party, provides no incentive for tracking, etc.
Yeah, also a haven for hackers and malicious actors...
EDIT: I guess you weren't aware. CoinHive doesn't track the users who sign up for the service. It doesn't collect any information except email address. So malicious actors can easily sign up for the service and deliver the javascript through an XSS vulnerability for example. I thought that's what you meant by "no incentive for tracking".
In what way? I consider this a security win. Instead of a third party delivering unknown, unscreened content (ads), I get a mining script directly from the site that I'm visiting.
One man’s trash is another mans treasure. In this case it’s not even trash (power). If it has value to someone else why dismiss it as a barter tool for you?
Using that battery power does not 'let' anyone buy into the pyramid scheme. People buying monero or not is orthogonal to Salon mining it in your browser. Salon mining it does not in any way facilitate people buying it.
Monero itself is worthless for Salon until they exchange it to USD, either directly or through a chain of other cryptocurrencies. Either way, for them to get the USD, some schmuck somewhere needs to buy the coin.
With the volatility of crypto assets this is not a viable solution for the publisher, especially because readers who have an ad-blocker installed are likely to block the mining script as well.
This is a publicity stunt. Nothing more, nothing less.
If so, this is a stupid publicity stunt, given the largely negative reaction by this community and the media. If anything, more people will install adblockers because of things like this.
I'm sure as soon as that micro-payments model evolves Salon will be happy to switch to it. People have been saying that for 20 years, though, and this is the closest we've come.
In practice, people have been wishing for a well-functioning micropayment system for well over twenty years and the best we have to show for it is PayPal. Flattr seemed like a good idea, mostly, but for some reason it tanked, too (AFAIK).
Either people are not interested in creating one that works, or the problem is really, really hard.
I think the problem is simply hard. Micro-payments imply more infrastructure costs (more transactions) but lower revenue (because the payment itself is tiny, so the fee has to be tiny as well).
But look at Bitcoin's Lightning Network, it may very well become a valid micro-payment system. As far as I know it's biggest scaling roadblock is getting efficient routing.
Micropayment is the way to go. There needs to be a two-sided market. Free isn't the market clearing price and whatever the content producer wants to charge also isn't.
That's really disingenuous. The software does exactly what it says on the cover and the documentation, no more and no less. And it causes no harm of any sort, but uses lots of power as designed. The malware classification comes because some sites used it without user's permission, which CoinHive fixed via the authedmine.com domain - that only allows the miner to be use with explicit and temporary user consent.
But the software is clearly a hot avenue for hackers. And trying to legitimize this kind of thing also makes the foray into "cryptojacking" more enticing.
If legit sites start doing this, users will get used to it and hackers will bring in more cash.
CoinHive didn't fix this, as far as I understand. They simply published an alternative miner. As recently as a week ago, many UK and US gov sites were cryptojacked using the CoinHive software: https://motherboard.vice.com/en_us/article/bj5m4v/cryptocurr...
They don't even seem to be trying to root out malicious users:
>The team don’t specifically track domains, so if a user’s email address is not, for example, “contact@website.com,” Coinhive often don’t know where or how the service is being used, though.
CoinHive has assumed that all instances of sites directly using the CoinHive software have been or are going to be blocked, and so have deprecated direct use of the CoinHive JS. Authedmine.com is now the official way to do things, and it operates only with consent.
Why make that assumption and leave users without blockers out to dry?
Why not just halt all payouts to the old software and only pay out to versions which are using the Authedmine.com version?
Why not do KYC on people who have a very high likelihood of using your software to violate the law?
Salon is the kind of magazine which will call (justly) for corporate responsibility in all sorts of industries, but when it comes to software makers just totally not doing the basic, easy things when it comes to respecting web security, they'll pay them.
But isn't it a dangerous road where we hold the makers of software responsible for nefarious uses? Paypal does a lot of this kind of fraud detection and prevention, and we all lambast them for it.
Halting payouts to those using the old software leaves legitimate users out to dry as well - whatever they do, someone is going to be miffed. I assume there will be a point in the future when they do refuse service to all the old API endpoints, but they can't rush that.
I am completely fine with this. The entire question of "How does a web site providing content 'for free' make money?" still seems to be in flux. Yes, people might push for some sort of micropayments thing, and The Guardian is making their method work, but I don't know if that's the exception or the rule. At least, not right now.
Given the choice, I prefer a background miner over ads. Even on a laptop that's running on battery. For one thing, removing the ads (and all the annoying JS they load) should make the page much better to load & navigate, meaning I can go through the content faster. If I don't want to use up my battery, then I'll add the site to my Read Later list, and read it then.
It wouldn't be so bad if Salon were using 5 or 10% of your CPU, but they are pushing it to 100%. Check out the discussion on r/BATProject[0] which is apart of the Brave browser. Brave is actually fighting the mining situation whilst also trying to help publishers and creators gain money.
Brave are actively blocking ads and background miners, but they offer verified publishers and creators to be donated Basic Attention Tokens (their own cryptocurrency). Users of Brave will be able to gain tokens either by purchasing them or by viewing ads within the browser rather than on the websites. If you're interested, I would recommend you check out their browser which is based on Chromium.[1]
I'd be okay with it if choosing to do this on your website wasn't going to obviously incentivize hackers to inject this software maliciously on unsuspecting websites to steal money from unsuspecting users.
The more legit websites do this, the more cryptojacking will wreak havoc on the web.
And for those who say they ask for consent so it's okay, why do the CoinHive people still pay out for versions of the software that don't ask for consent?
The less legit it is for a website to mine crypto, the easier it is for adblockers and security to block all such scripts without inconveniencing the user (less tradeoff of usability for security).
But when some sites use it and others doesn't, it makes security complicated and hacks are able to slip through easier.
Also, the more users get used to sites mining on their browsers, the less likely they will be perturbed by and reporting CPU usage spikes (which are used to determine which sites have been hacked by cryptojackers) because they are used to seeing legitimate such spikes from sites they frequent.
Yikes, you'd think a media company would be smarter than to use a software that returns hundreds of articles about malware as the top results of a google search for its name.
I had never really read anything from this site before and just searched it in Google News. Wow, you weren't wrong. And I'm probably THE target audience for that site (unabashedly leftist). It's very trashy.
Because your site showing up in other news outlets under a title like "Salon Magazine running cryptojacking malware on users" is terrible publicity.
I get that they are using the version which asks for consent, but why even take the risk of associating yourself with such a shady piece of software? If you make money of ads, you'd think you wouldn't want to do things that might scare away your users.
The software (script) itself is not malicious, it's the way it's used in a lot of cases. It's similar to how torrents are usually used for piracy, but has some legitimate uses.
It is being blocked as some other commenters showed.
I think the company needs to shut down shop and provide their explicit consent miner under a different name because as long as anyone looking up your company's name can only ever find articles about your company providing malware, you won't be very successful.
I don't think you understood. The name "CoinHive" is essentially synonymous with cryptojacking. A name change and a refusal to pay out to anyone using the version which does not ask the user are probably good steps for them to take (but obviously they won't do either because $$$)
CoinHive now has the authedmine.com domain, and the scripts served from there only run with explicit and temporary user consent. No reason to block that, although I think some blockers are doing so anyway.
Their website was already unreadable on mobile so I guess they're now going to make sure you can't view it on a desktop/laptop by pegging your cpu to 100%
That's config on the miner, can throttle to any CPU usage percentage. No reason for them to be stupid enough to peg at 100%. 50% to 70% seems much more reasonable. Most day to day, non professional applications barely use more than 30%.
Again mostly negative comments here. May I ask why? It's 100% opt-in so I don't really see what blocking mining scripts has to do with it. I also block mining scripts but that's for rogue sites doing it without my consent (The Pirate Bay) while this feels like a legitimate use-case. Correct me if I'm wrong.
The headline makes it sound like they automatically start it if you're using an adblocker. That is not the case. Check the screenshot in the article.
Cryptocurrency mining scripts are primarily delivered as malware. It seems kind of incredibly tone-deaf for a journalistic site to attempt to use it as a means of monetizing even if making it opt-in.
In theory, it's a great idea being 100% opt-in and all.
But in practice, we know that CoinHive is being used largely as malware, being injected in third-party sites to enrich hackers. And it's not a nice move to support that ecosystem and the company which clearly doesn't give two damns that their software is enabling so much hacking.
>The team don’t specifically track domains, so if a user’s email address is not, for example, “contact@website.com,” Coinhive often don’t know where or how the service is being used, though.
So they don't keep track of who uses the software (perfect for malicious users), and yes they offer an AuthedMiner but why are they still offering payouts to people who use the version which runs without user consent?
It's like me selling illegal firearms in the back of my store and people saying "Hey, he is really concerned about the negative effects of illegal arms dealing, that's why he sells legal firearms in the front of the store!"
The web is open and free because ads made it possible when the internet was first evolving. You only understand the internet as “free” because someone else was footing the bill to begin with. Ads can no longer support an open web as you once knew it. So, the web closes down (publishers gating their content - subscriptions) one by one and what do you end up with? A closed web. Plain and simple. Those who feel the web is “free” are under an illusion becaue they know and knew of nothing different. These people are ignorant and the ignorance is what is actually causing the web to close down faster. The more ignorance the faster it closes. I’m not saying ads and mining are great ways to pay the toll but it’s the only options since I don’t see any user here writing checks to websites out of good will. Salon at least is trying to keep the web “open” by giving options - and by the way, when did an option, in your control, ever offend you. Offended? Fine you don’t have to opt in. That’s like saying your pissed of because the restaurant accepts discover card when you only chose to carry Amex or cash.
There are a lot of people here who just don’t know what they are talking about and unfortunately they’ll never know who they are because they are always right. That’s fine because that’s the way the world works unfortunately and it’s human nature but a little honest research would do the greater community as a whole a great deal of good.
The problem with ads is that they are not just ads these days. There is a big industry whose "product" is tracking users across sites, trying to build detailed profiles in order to present people with targeted ads they are more likely to click on.
In other words, a massive invasion of privacy that may very well come back to haunt us (think of an oppressive government trying to find potential dissidents, either to bombard them with propaganda or worse).
Using my browser as a cryptocurrency miner as I visit a site has obvious problems, especially on mobile devices, but from a privacy perspective it is far less troubling. With the exception of blogs people write in their spare time, most web sites need a way to recover their expenses. Even more so for news sites that employ journalists etc.
At that point, the interesting question is how effective running a Javascript miner is. When I visit web sites using a browser that has no ad blocker or tracking protection installed, I notice that ads, tracking scripts, etc. can use quite a bit of CPU, RAM and bandwidth, too. If I could be sure that a site using crypto-miners does not just gobble up my phone's battery like crazy, the idea is not that bad, as long as sites are transparent and up-front about it.
Some sites already offer a model where you either have ads or make a donation and get an ad-free page. Something similar with cryptominers could work, too.
(All this assumes, of course, that web site owners play fair, which is hopelessly naive all too often.)
For this model to be successful(long term), sites/anyone who does this, must set an early precedent to inform and get consent from users.
(this is, of course, antithetical toward modern advertising philosophy)
Otherwise, it crosses a line from Adware to Malware, further validates the reclassification of ad blocking/protection from optional to required, and will meet a quick demise
They've been doing shady shit with JS for years like auto-reloading their home page and other shady practices. The only solution to sites running bad JS like Salon is to block the JS. uBlock origin, NoScript, etc. The only downside is that none of these tools is user-friendly enough to run without any user input. The idea that other entities should be able to run their code on my computer was a bad one to begin with and still is. I think people are slowly coming to that realization as this default begins to show just how dangerous it is.
If this is done without explicit permission from the user, I can see it being some sort of hacking offence.
So yes, I run adblockers. I will also run coinblockers. You're not going to be mining on my laptop processor and battery. Not yours.
If you don't want me reading your stuff for free (which is perfectly reasonable!) then block me, instruct your server not to send content on those terms. I'm happy with that. But I will not render your ads, nor run your mining script.
Out of curiosity... Rather than blocking ads, why not block sites that have ads? This way you comply with their implicit wish not to have you read their content without some sort of monetary return.
Honestly, it's a bit of a gray ethical area for me.
On one hand, what you say makes perfect sense.
On the other hand, I like having my cake and eating it, too. It's like having a buffet dinner where the host tells you: "sure, you can eat this juicy steak, but you also have to eat the surrounding shards of glass that I've put there to feed my thirst for human dignity".
If I particularly like the host I might do it, otherwise I'll just take the steak and leave.
I don't love ads but that is a pretty poor and dramatic analogy... It's more like eating a free buffet and the host asks you to listen to his annoying friends while you eat... Some of them write notes about you and share it amongst themselves... I'm not sure this is really an ethical grey area for you or just rationalizing it into grey area. If the website you are reading completely relies on ad revenue to pay its employees then it is pretty black and white that blocking the ads is not "ethical." If you really object to the ad model then you should do as the parent said and block websites which are ad-driven.
I've also worked at multiple publishing companies and I can tell you that although their owned and operated websites were run with ad money, none of the people involved had a thirst for human dignity. It is more like, we all wanted to make a living and enough people simultaneously wanted to read the content AND didn't mind the ads enough to click away. Any time I've seen subscription or pay per content tried at publishers I've been with it fails dramatically because the percentage of willing readers is just too small unless you are a very niche and valuable or very large and famous publisher.
I see adblocking as ethically justified because at the end of the day, I am only using my browser to ask for a resource from the content provider, and it is up to my computer, or by extension, the user controlling that computer, what to do with that resource if it is then provided.
If I put a piece of electrical tape physically over the ad on my monitor, I am effectively blocking the ad, but in this case the content provider gets to lie to their sponsor and say the ad made an impression, which just pushes the cost onto the sponsor. The ethics haven't really changed yet it is absurd to suggest that I am not free to put tape on my monitor.
I think it is hard to say that I am ethically obligated to pay attention to the ad just because a content provider unconditionally gave me something I asked for. The choice for content providers then, is to be like the WSJ, and simply quit giving away content unconditionally. If the content can't support itself that way, well, so be it. If no one was willing to pay for the content, doesn't this necessarily imply literally nothing of value was lost?
When you put something on the open web, you put something on the open web.
It's up to me to decide how and with what software I want to view the content.
If you do not want your stuff on the open web, stop putting it on the open web.. It's really simple
>> This way you comply with their implicit wish not to have you read their content without some sort of monetary return.
I make no promises about the way I'm going to render your site when I request data. I'm just requesting some data from the server.
I might be reading it in lynx, or over a slow connection with images turned off, or on an ancient browser, or whatever.
I prefer explicit to implicit - if you wish to enforce my rendering method, you shouldn't give me the data. I would even be happy with sending a flag in my request - XWillNotRender or whatever, so that you can filter me out easily if you wish. But once I have the data my device can show it to me however I wish.
For me, its because the open web came first: people posted websites, you request delivery of websites, they send you the page/content, everyone was happy.
Then people started using it to do naughty things. Javascript came along. Tracking cookies. Tracking pixels. Crosssite scripts, etc. Oi vey! But they didn't come along all in one go you see. We kept going to sites, and every now and then we noticed people slipping in little bits of naughty that we didn't explicitly ask for or expect when we visited their website.
So the technical amongst us kept up things as we always did, using the open web, but we just wrote a thing to block the naughty: say entries of particular servers into host files.
Then someone started packaging these things up into programs and lists of all the bad things people were doing on the web, and we realized we didn't have to do it ourselves anymore. So we just set ourselves up with our privacy keeping program, our cookie/javascript blocker, and our ad list, and kept on surfing the internet, just as we'd always been doing for years.
The thing to understand is: i've never seen an ad on you-tube not explicitly because i'm trying to screw youtube over, but because we were here first, we surfed the web, sharing content and when bad players appeared, we stopped/blocked them. Many of us just organically reached this position by taking action against things that made that the web experience worse...bit by bit. People started serving us things we didnt ask for, so we just blocked the scripts and servers for the things we didnt ask for.
It seems to me arse-backwards to ask why we don't block sites that have ads: its because the web and users and authors were here first and then the commercial sites and practices invaded. Why would we co-opt our behaviour and our communication to serve the needs of the immoral, the user hostile, the dishonest and the underhanded? So they can sell things? Oh please!
The web is not here to serve businesses and ads.
THEY IMPOSED THEIR VISION ON US! not the other way around!
I'm not spending my time to individually cater to the whims of invaders of the open web. I essentially just have automatic blocks of bad players and behaviours my computer won't talk to and won't participate in.
/incidentally, my blockers do automatically block a number of sites now. news.com.au is automagically blocked, presumably because its gotten to the point where its content to ads/hostility ratio is so low that asking it to serve up content is now indistinguisable to my blockers from a site being genuinely bad/hostile.
but youtube, etc is free to put up a wall or blocker any time they want to stop serving material on the open web. And if you serve something on the open web and people download it, i have the world's smallest violin here to play for you...
> If this is done without explicit permission from the user, I can see it being some sort of hacking offence.
When ads are enabled, your browser is sometimes executing javascript to conduct part of some ad-auction thing to figure out which is the best ad to show you (i don't work in ad-tech, so this is probably 60% incorrect, but you get the idea).
I don't fundamentally see the difference between a website running unsolicited mining crapware in your browser versus unsolicited adtech crapware. So I'm not necessarily disagreeing with you -- if running mining crapware is regarded as "hacking", then we may as well regard all client side code execution related to adtech as "hacking" too.
>> I don't fundamentally see the difference between a website running unsolicited mining crapware in your browser versus unsolicited adtech crapware.
Misuse of computer resources IMHO, no different to any other sort of code running on someone's machine with authorisation. We'd call this hacking in different circumstances.
I don't like the whole ad-auction-crapware thing, obviously, but it seems like it's a different thing to actually start using my hardware for your own calculations, using significant resources, without my explicit consent.
I'm sure salon aren't doing this, but I know I've stumbled across quite a few sites that do.
-- edit -- this just sparked something in my brain. Imagine Amazon Lambda but executed in the browser, by site visitors just like this...
Journalistic integrity doesn't die if your content is worth the price of admission.
Excessive ads on a site that serves click bait isn't a site worth a 100% hit against your PC, unless it allows you the profit, the entire amount or a portion depending how you are mining the coins using Moreno.
New York Times wants to charge for subscription over 5 articles a month, they put forth the effort to earn it. While not abusing my trust. They aren't forcing a user into a choice that is similar to a loss/loss situation like Salon.
I pay for electricity, I pay for internet. I pay for hardware. I don't pay directly to visit a site online. I pay a fee to access the content if it is locked down. But if someone wants to places ads, that doesn't take a hit on a system. Then the content is worth it.
If Salon wants to offer a choice of blocking those who AdBlock, or mine a currency for them. The site isn't worth any bit of it's content. I'll waste my processing power and actual power bill on something that benefits my own life and not the Salon Media Group.
https://news.ycombinator.com/item?id=16364919