cnhv.co

[Zhangsun321]

a cyrpto mining site.. will only work correctly.. when the JS is enabled for it to mine coin on my cpu.

https://en.freemags.cc/entertainment-weekly-october-06-2017.html click on the icebox download MAKE sure js is disabled.. https://i.imgur.com/UiFMmvs.png is the screen.... more or less.. if i dont let the js run.... it wont let me get the file.. or would it be more like a new form of image captcha rather than an anti ad blocker?

this is a new miner... not the coin-hive as before... https://coinhive.com/#captcha has some documention with some js..

[jspenguin2017]

Yes, I heard of that, but no, I can't bypass server side Proof of Work enforcement.

[jspenguin2017]

I will be fixing "disable adblock or give PoW", but I can't fix those asking for PoW unconditionally.

[Zhangsun321]

ohh.. ok... Ive not seen disable adblock OR give pow.....
will let you know if I do... thanks for educating me more on the matter!

[jspenguin2017]

I won't add a white list as they start the mining process as soon as the page loads, and I want the user to have the control in their hand.

[uBlock-user]

The url itself should be blacklisted, cnhv.co is also owned by coinhive.

[jspenguin2017]

Well, it is an URL shortener, some people would really need the link hidden behind the PoW.

[uBlock-user]

Can't it be bypassed and redirect the user to the destination link ? It doesn't have any reCaptcha.

[jspenguin2017]

The "captcha" is the proof of work, the proof that you have mined for them.

[uBlock-user]

Ah, so they want you to whitelist the JS, so it can mine first and then redirect you. Such diabolical bastards!

[uBlock-user]

Personally, after I immediately subd' to adblock-nocoin-list, it's not worth muddling with such people who are here to rape your device resources.

[jspenguin2017]

It is pretty efficient for a JS miner, it is able to use all 4 cores, the redirect takes 2~5 seconds for me.

[jspenguin2017]

There is a new filter for uBO, called uBlock filters – Resource abuse, which should be automatically enabled soon. It blocks JS miners and WebRTC torrent(?) abuse.

[uBlock-user]

Doesn't matter it's still non-consentual use of resources

[uBlock-user]

Also laptops and personal computers are not built for handling such heavy continuous load. There're mining rigs which be should used if someone wants to mine. They're built for that purpose specifically.

There is a new filter for uBO, called uBlock filters – Resource abuse, which should be automatically enabled soon.

https://i.gyazo.com/77e1ab49896f6445f04ba43e11e910bd.png

Got it now by Purging all caches and force updating them all.

[jspenguin2017]

Yea, I'm thinking of adding a button for them, because there isn't a way to temporarily white list a domain, after you white list it, you'll get your redirect but you need to turn off the white list in uBO settings...

[jspenguin2017]

Obviously laptops can't handle that, but PCs usually can. Mining rigs use the same hardware components after all.

[uBlock-user]

You may be able to mine on PC but that would only shorten your PC's processor life, as it was never meant to handle that. Many people do that and I used to that myself when Bitcoin and other shitcoins were hugh news back in 2013, so I know.

[uBlock-user]

By whitelist you mean whitelist in uBO and then internally redirect via a loopback in the Extension ?

[jspenguin2017]

By the time it breaks it's probably time for an upgrade anyway, either way, 3 seconds isn't going to have a effect. I'm still thinking of adding a button for them so users don't need to white list the entire domain just to find that the un-white list button is gone, but on the other hand, it'll be trivial to get around my button.

[jspenguin2017]

Can't loopback, the mining library needs to connect to the mining pool to know what to mine (and send back proof of work). So the user have to disable uBO en the entire cnhv.co domain in order to get pass the redirect. It would be handy if uBO has a "disable for 5 minutes" or something. Like what NoCoin did.

[uBlock-user]

Mine broke within a year, by broke I mean the motherboard circuit, not the processor and it was a 2010 model, ofcourse those 3 seconds here won't break anything but the question is why allow some third-party website to forcibly use our device resources without us knowing anything about it.

[uBlock-user]

It would be handy if uBO has a "disable for 5 minutes" or something

That won't ever happen on uBO, that I can tell you.

[jspenguin2017]

There isn't "won't ever" in open source, as I can always fork. I don't really care though, as there is NoCoin.

[uBlock-user]

Gorhill will not do it, that's what I meant. Forking doesn't mean people will start using your version of the blocker over gorhill's. Yeah, it doesn't matter to me either as I would rather block the entire domain than tangle with it by whitelisting it.

[jspenguin2017]

Why do I want other people to use my version? I'll be a personal project. Shouldn't be too hard, just a timer hooked into white list manager. I might do it if I care enough.

[uBlock-user]

I don't know, I thought you wanted to generalise the feature and didn't think you wanted it for yourself though, but if you're ok with the idea of whitelisting then it could work out for you, but once they start showing ads and adding adware/malware, whitelisting would turn into an issue itself. As usual all such webmasters get greedy in time so don't think they won't do it, they always do.

[jspenguin2017]

That's the problem, NoCoin will only temporarily white list mining related resources, and not other ads on the same page. If I every fork uBO I'll smash the 5 extensions I use together, which would be pretty unusable for everyone else.

[uBlock-user]

NoCoin will only temporarily white list mining related resources

It doesn't matter, they can always put ads into that specific whitelisted JS and mix it right in, then it will become a cat and mouse game again. Ultimately, the webmaster will do whatever he can just like that guy from lolaylitics.com

[jspenguin2017]

That's web development, pretty fun isn't it?

[uBlock-user]

For you ? I suppose. I hate it personally, as it's only being used for hostility towards the users.

That's "web exploitation", hardly any development.

[jspenguin2017]

It's always going to be cat and mouse game. Just when you thought things couldn't be any worse, there comes cosmetic filter bypassing (Chromium / Chrome only). Demo - Bug

[uBlock-user]

and this brings the necessity of Eternal Vigilance, this is a war and someone will always have to fight it on our side till the inevitable end. Unfortunately, Chromium suffers from these kind of nasty bugs a lot and that's the core problem unlike FF which I hardly heard of.

[jspenguin2017]

Firefox 58 sounds really promising, a lot of good APIs and the CSP bug is finally going to be fixed. I have no problem jumping between the two browsers when time comes. But this year still isn't the year of Firefox.

The current Firefox has more problems than Chrome, and 57 is probably going to be a disaster, 58 is when things will start to turn around.

[uBlock-user]

I do have FF 58 Nightly on my USB stick, but I will still use Chromium. I rarely face these bugs for most of the time, so I can deal with them with workarounds when the time comes.

[jspenguin2017]

Actually, uBO doesn't inject itself into about:blank frames at all, that is exploitable. Hum... The behavior on Firefox is different...

[uBlock-user]

kisshentai.net has now begun mining too and that too silently without any notification - http://kisshentai.net/Content/js/c-hive.js

looks like I will have to start filtering words coinhive and c-hive.

[jspenguin2017]

Nah, won't work, they can very well name it index.js. As long as the pool is blocked, it won't use too much CPU, just a tiny bit when it tries to start. There is a proposal in NoCoin repo to override CoinHive identifier, but well, they can just rename it, closure it, etc. Blocking the mining pool is the key, Everything else is bypassable. Or block workers, but that can break things.

[uBlock-user]

I know, but I'm not doing it specifically for kisshentai, I'm doing it for all websites in general. Not everyone of those guys is gonna go for the name change.

Now, the problem here is it's spamming console and uBO-logger even after WebSocket connection to the pool is blocked and that is bad if it keeps trying to connect and then fail and then try again, so I patched it via CSP and string filtering the js name, killing it, so my console and uBO-logger spamming is stopped for good.

[jspenguin2017]

You should report it to uAssets.

[uBlock-user]

I'm not sure whether it will be blocked as I want. My problem here is not the silent mining which is already taken care by my blanket blocking $websocket filter, but spamming of console and uBO-logger, that's why I didn't bother to post it there myself.

Edit - It relies on WebAssembly, so blowing it up should also patch it for good incase they decide to change the name of the JS.

[jspenguin2017]

@okiehsch Do you want to block ||kisshentai.net/Content/js/c-hive.js in uBlock filters? It spams requests.

[okiehsch]

Thanks.

[uBlock-user]

Another one - mylink.st/OqQzF7J

[jspenguin2017]

That one does not mine automatically, so no need to block.