minerBlock fingerprinting
opened this issue · comments
VidYen commented
Did it occur to anyone we should stop using the word miner in our js code.
I use the word worker in public code.
…On Mon, Feb 4, 2019 at 10:34 PM Josh Habdas ***@***.***> wrote:
https://github.com/xd4rker/MinerBlock/blob/master/js/minerkill.js#L49-L61
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#97>, or mute the
thread
<https://github.com/notifications/unsubscribe-auth/AmNhDQO0r0vmLZJX7EM6FRNvxBO0IKzuks5vKPvPgaJpZM4aieW7>
.
VidYen commented
Well. It helps to have some type of opt in system when you display your
code. You shouldn't even load the js in the client until a cookie has been
accepted or a consent POST or GET has been done. This seems to help avoid
being black listed by automated scanners seeing if your site has malware.
But generally from what I've seen Brave and uBlock will just stop anything
that is miner.js now so I just renamed it to common words.
…On Tue, Feb 5, 2019 at 4:43 AM Josh Habdas ***@***.***> wrote:
Did it occur to anyone we should stop using the word miner in our js code.
I'm personally more interested with making individuals aware of
surveillance capitalism spread by adware and adjusting hearts and minds by
educating people on what is and isn't considered *jacking*. But that's
the nugget MSM and security (funded) firms have been doling out to the
public so we've got some work in front of us.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#97 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AmNhDQqWLk7GHPozbLv5APOoxhNyW-woks5vKQvtgaJpZM4aieW7>
.
VidYen commented
Well... It's just a suggestion as I have seen it appear that other than
people getting angry and reporting you to AV companies, they do seem to
have an automated process of finding them out. I'm guessing its easy as
just seeing if there is a js file with the word mining in it or if there is
some mining activity if the js loads.
Of course, Malwarebytes and other AV companies won't brute force your POSTs
or cookies, so that's why I recommended making it bot crawl unfriendly.
So I do it by default as I try not to get the users of my plugin
blacklisted by Malwarebytes.
Usually, its hard to convince people that its not malware if Malwarebytes
puts a bit red error on your website shouting its Malware. And Brave and
uBlock pull from that shared list at some point.
Given this I usually write my plugins to talk to MoneroOcean through the
local server itself at least for stats as MoneroOcean is blocked by
Malwarebytes and even with Comcast at an Airbnb I have stayed at. Usually
web host servers don't care who they talk to on the php with curl.
I'm not sure we should discuss it here as this is a social debate and not a
technical one. If Coinhive couldn't negotiate with Malwarebytes on the
definition, I don't think Notgiven can either.
If you are being flagged as malware even if you are doing it with consent,
just use euphemisms for the word miner and find and replace it with some
common word like "employee" or something in your code and then don't expose
your code in ways that the security bots can easily see it.
And you can still say the word "Miner" or "Mining" in the text of the HTML
to get consent.
Malwarebytes can't block the entire coal industry supporter websites.
…On Tue, Feb 5, 2019 at 3:20 PM Josh Habdas ***@***.***> wrote:
You shouldn't even load the js in the client until a cookie has been
accepted or a consent POST or GET has been done.
That's where I will politely disagree. Miners give us the ability to build
with transparency. If someone wants to visit my site I give them the option
to disable it. After all, it's my site
<https://after-dark.habd.as/module/toxic-swamp/>.
Being concerned as I am with UX, however, I wouldn't want to drain the
last 2% of someone's battery—so the miner only engages itself automatically
when it knows my visitor has persistent power.
As for Brave et al., they're only option will be to disable WASM and
JavaScript entirely—which they won't do. But Firefox was smart enough to
disable the Battery Status API so I can't auto-start the miner there.
As for *cryptojacking* there are umptysquillion definitions out there and
almost every one of them gets it wrong in my eyes—mostly because some
choose to mine surreptitiously and no one has ever seen a transparent
miner <https://after-dark.habd.as/module/toxic-swamp/>.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#97 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AmNhDXCGjuwbKU9SxJEzG8puvGJHG0fRks5vKaE0gaJpZM4aieW7>
.
Deleted user commented
Well, this is out here now so everyone knows. :D