minerBlock fingerprinting

[ghost]

https://github.com/xd4rker/MinerBlock/blob/master/js/minerkill.js#L49-L61

[VidYen]

Did it occur to anyone we should stop using the word miner in our js code. I use the word worker in public code.

On Mon, Feb 4, 2019 at 10:34 PM Josh Habdas notifications@github.com wrote:

https://github.com/xd4rker/MinerBlock/blob/master/js/minerkill.js#L49-L61

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/notgiven688/webminerpool/issues/97, or mute the thread https://github.com/notifications/unsubscribe-auth/AmNhDQO0r0vmLZJX7EM6FRNvxBO0IKzuks5vKPvPgaJpZM4aieW7 .

[VidYen]

Well. It helps to have some type of opt in system when you display your code. You shouldn't even load the js in the client until a cookie has been accepted or a consent POST or GET has been done. This seems to help avoid being black listed by automated scanners seeing if your site has malware.

But generally from what I've seen Brave and uBlock will just stop anything that is miner.js now so I just renamed it to common words.

On Tue, Feb 5, 2019 at 4:43 AM Josh Habdas notifications@github.com wrote:

Did it occur to anyone we should stop using the word miner in our js code.

I'm personally more interested with making individuals aware of surveillance capitalism spread by adware and adjusting hearts and minds by educating people on what is and isn't considered jacking. But that's the nugget MSM and security (funded) firms have been doling out to the public so we've got some work in front of us.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/notgiven688/webminerpool/issues/97#issuecomment-460511081, or mute the thread https://github.com/notifications/unsubscribe-auth/AmNhDQqWLk7GHPozbLv5APOoxhNyW-woks5vKQvtgaJpZM4aieW7 .

[VidYen]

Well... It's just a suggestion as I have seen it appear that other than people getting angry and reporting you to AV companies, they do seem to have an automated process of finding them out. I'm guessing its easy as just seeing if there is a js file with the word mining in it or if there is some mining activity if the js loads.

Of course, Malwarebytes and other AV companies won't brute force your POSTs or cookies, so that's why I recommended making it bot crawl unfriendly.

So I do it by default as I try not to get the users of my plugin blacklisted by Malwarebytes.

Usually, its hard to convince people that its not malware if Malwarebytes puts a bit red error on your website shouting its Malware. And Brave and uBlock pull from that shared list at some point.

Given this I usually write my plugins to talk to MoneroOcean through the local server itself at least for stats as MoneroOcean is blocked by Malwarebytes and even with Comcast at an Airbnb I have stayed at. Usually web host servers don't care who they talk to on the php with curl.

I'm not sure we should discuss it here as this is a social debate and not a technical one. If Coinhive couldn't negotiate with Malwarebytes on the definition, I don't think Notgiven can either.

If you are being flagged as malware even if you are doing it with consent, just use euphemisms for the word miner and find and replace it with some common word like "employee" or something in your code and then don't expose your code in ways that the security bots can easily see it.

And you can still say the word "Miner" or "Mining" in the text of the HTML to get consent.

Malwarebytes can't block the entire coal industry supporter websites.

On Tue, Feb 5, 2019 at 3:20 PM Josh Habdas notifications@github.com wrote:

You shouldn't even load the js in the client until a cookie has been accepted or a consent POST or GET has been done.

That's where I will politely disagree. Miners give us the ability to build with transparency. If someone wants to visit my site I give them the option to disable it. After all, it's my site https://after-dark.habd.as/module/toxic-swamp/.

Being concerned as I am with UX, however, I wouldn't want to drain the last 2% of someone's battery—so the miner only engages itself automatically when it knows my visitor has persistent power.

As for Brave et al., they're only option will be to disable WASM and JavaScript entirely—which they won't do. But Firefox was smart enough to disable the Battery Status API so I can't auto-start the miner there.

As for cryptojacking there are umptysquillion definitions out there and almost every one of them gets it wrong in my eyes—mostly because some choose to mine surreptitiously and no one has ever seen a transparent miner https://after-dark.habd.as/module/toxic-swamp/.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/notgiven688/webminerpool/issues/97#issuecomment-460676806, or mute the thread https://github.com/notifications/unsubscribe-auth/AmNhDXCGjuwbKU9SxJEzG8puvGJHG0fRks5vKaE0gaJpZM4aieW7 .

[ghost]

Well, this is out here now so everyone knows. :D